headers
tridge | 1 Jun 2004 01:06
Picon
Favicon
Gravatar

Re: se-samba

Russell,

One thing to be careful of is to distinguish the right design for a
se-linux enabled Samba in Samba3 and Samba4. The design of Samba3 is
quite different from Samba4, and the approach taken needs to be
correspondingly different. The design that Luke proposes is closely
tied to Samba3, as that is what he is familiar with. Samba-tng uses
the same basic design for file sharing as Samba3, as it is based on
the same code.

The main features of the Samba4 design that are relevant to you are:

 - backend isolation. Samba4 uses a "NTVFS" layer, which takes the
   place of the old VFS layer in Samba3. All POSIX/Unix filesystem
   assumptions are isolated into the backends behind this layer, so
   for example uid_t and gid_t will only appear in these backends. 

 - The core code makes no calls to seteuid() at all. So if you write
   your own NTVFS backend you can choose not to use seteuid() if you
   don't want to. 

 - async backends. On a per-call basis the backends can choose to
   answer synchronously or asynchronously. This allows you
   considerable flexibility in how you dispatch operations. It also
   solves the NT threads problem that Luke mentioned.

 - flexible process models. Samba4 comes with 3 process models,
   selectable at runtime, and you could potentially add another
   process model if you want to. The default models are "single" (with
   everything in one process), "standard" (a process per connection),
(Continue reading)

Permalink | Reply | 15 comments |
headers
Luke Kenneth Casson Leighton | 1 Jun 2004 01:29
Favicon

Re: se-samba

On Tue, Jun 01, 2004 at 09:06:18AM +1000, tridge <at> samba.org wrote:
> Russell,
> 
> One thing to be careful of is to distinguish the right design for a
> se-linux enabled Samba in Samba3 and Samba4. The design of Samba3 is
> quite different from Samba4, and the approach taken needs to be
> correspondingly different. The design that Luke proposes is closely
> tied to Samba3, as that is what he is familiar with. Samba-tng uses
> the same basic design for file sharing as Samba3, as it is based on
> the same code.
> 
> The main features of the Samba4 design that are relevant to you are:
> 
>  - backend isolation. Samba4 uses a "NTVFS" layer, which takes the
>    place of the old VFS layer in Samba3. All POSIX/Unix filesystem
>    assumptions are isolated into the backends behind this layer, so
>    for example uid_t and gid_t will only appear in these backends. 

 the NTVFS layer sounds like an idea that i recommended back in
 mid-to-end 1999.

 the idea was rejected by jeremy on the grounds that samba is
 a unix file/print sharer, and therefore it is necessary to
 move to unix filesystem semantics as soon as possible
 (including converting all file names to unix unicode).

 i didn't dare to contradict jeremy when he began to impose
 the same logic on the samba tng NT-style services design,
 most of which have absolutely nothing to do with a unix
 filesystem [i.e. they can be implemented in databases etc.]
(Continue reading)

Permalink | Reply | 14 comments |
headers
Andrew Bartlett | 1 Jun 2004 02:07
Picon
Favicon

Re: Patch: System keytab usage improvements

On Tue, 2004-06-01 at 08:20, Dan Perry wrote:
> Hi all,
> 
> Here is a patch to samba-3.0.5pre1 that enables use of a file system keytab,
> and enhances keytab functionality.   You can download the patch from here:
> 
> http://www.pppl.gov/~dperry/patches/keytab.v5.samba-3.0.5pre1.diff
> 
> This patch is a combination of the previous patches I've submitted, and
> applying it will do the following things:

Thanks for keeping up with this.  This is an important set of patches,
and I'm sorry it's taken so long.

> - adds a set of 'net ads keytab' commands
> 
> - makes 'net ads join' write out a keytab with, at minimum, host and cifs
> entries, to the default system keytab.
> 
> - makes 'net ads changetrustpw' update all entries in the system keytab when
> the password is changed.
> 
> - determines the kvno from a windows 2003 domain controller by doing an ldap
> lookup.   The kvno for a 2000 domain is always 0.
> 
> - uses a fully qualified domain name for the keytab entries, instead of a
> netbios style name.

Thanks.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jeremy Allison | 1 Jun 2004 02:15
Picon
Favicon

Re: se-samba

On Mon, May 31, 2004 at 10:49:11PM +1000, Russell Coker wrote:
> 
> I'll probably be meeting Tridge in ~40 hours.  If you have any suggestions of 
> things that I should discuss with him then please send them to be by private 
> email ASAP.

Russell,

	Tridge's suggestion is correct. The changes you need
are probably too great for Samba3, and now is a good time to
get them implemented into the Samba4 design.

Sorry for not replying earlier, but tridge and I tend to stay
out of discussions Luke is involved in for historical reasons.

Talking to tridge and, on the main samba-technical mailing
list about your requirements is the best course. Luke hasn't
participated in Samba design or coding for many years now
and his knowledge in that area is not current.

We can have much more productive discussions on samba-technical,
and I've trimmed the tng mailing lists from this reply.

Cheers,

	Jeremy.
Permalink | Reply | 0 comments |
headers
Dan Perry | 1 Jun 2004 04:16
Favicon

RE: Patch: System keytab usage improvements

>
> Why only kvno -1?  Could we not need keys even older than that?
>

As per http://support.microsoft.com/default.aspx?scid=kb;en-us;325850
"When two computers try to authenticate with each other and a change to the
current password is not yet received, Windows relies on the previous
password.  If the sequence of password changes exceeds two changes, the
computers involved may not be able to communicate, and you may receive error
messages. "

By keeping kvno and kvno - 1 I was trying to duplicate the Windows behavior
exactly.  Of course, there's no technical reason to limit this, aside from
the fact that the more password/kvno's you keep around, aside from the fact
that functions like kerberos_verify() will need to run through every entry
until they find a match.   Keeping every entry around could slow things down
after many password changes.   Keeping kvno and kvno - 1 seems like a
reasonable limit.   Of course, the best way to do this would be to timestamp
each entry and remove it after say a week.   Doing that would probably
involve a structure in the secrets.tdb and having a daemon like smbd keep
things tidy.

> > - makes smbd's kerberos_verify() routine check the default system 
> keytab.
> > Since the default system keytab will have entries with the current kvno >
and
> > kvno - 1, as per the comment above, this allows smbd to use the older 
> kvno -1
> > keytab entry and prevents a machine password change from interrupting 
> exist
(Continue reading)

Permalink | Reply | 1 comment |
headers
Andrew Bartlett | 1 Jun 2004 04:47
Picon
Favicon

RE: Patch: System keytab usage improvements

On Tue, 2004-06-01 at 12:16, Dan Perry wrote:

I certainly would not keep anything more than kvno - 2 or a week, but
lets just do kvno -1 for now, we can always fix it later.

> Like I mentioned above, things will probably head towards using secrets.tdb
> eventually.   However, this patch is getting kind of big already.  Perhaps
> maybe using secrets.tdb could come after the patch at hand is merged.  I'd be
> happy to work on getting secrets.tdb to store a better keytab structure...

OK.  It's just easier to extract these things when we can hold a patch
over their heads ;-)

> Upon re-reading the email I sent, perhaps I should explain the changes my
> patch makes to kerberos_verify() a little more clearly.   The patch does not
> create a situation in which kerberos_verify would break, by changing
> kerberos_verify() to be keytab only.   The patched kerberos_verify() works
> like this:
> 
> 	FIRST PASS - checks the keys in the keytab, if it even exists.   If a
> key works, great, the session succeeds.
> 
> 	SECOND PASS - if the keys in the keytab fail, (for example if the
> keytab doesn't exist, the system admin doesn't have a correct reverse dns
> zone, etc.)  Then kerberos_verify() tries to use the machine password from
> secrets.tdb to make keys, just like it the function did before the patch was
> applied.  
> 
> 	THIRD PASS - nothing left to try, NT_STATUS_ACCESS_DENIED is
> returned.
(Continue reading)

Permalink | Reply | 0 comments |
headers
raghvinder tomar | 1 Jun 2004 07:01
Picon
Favicon

(no subject)


_________________________________________________________________
Get ready to dream with Citibank Ready Cash.  
http://go.msnserver.com/IN/49355.asp The Next Generation Personal Loan!
Permalink | Reply | 0 comments |
headers
Simo Sorce | 1 Jun 2004 11:23
Picon
Favicon

Re: se-samba

On Tue, 2004-06-01 at 01:29, Luke Kenneth Casson Leighton wrote:
>  can i recommend - tridge, others - that you give serious
>  consideration to writing an experimental samba 4 "NTVFS"
>  SMB proxy client plugin?

That was the first VFS available for samba4, it has been used happily
for many months now. And it's not that much experimental, it works
really well and made a great job into finding out many errors in the
core of samba4 and also samba3 handling of operations.

Anyway before you ask, we also have a great test framework in samba4
much more better than what was available even in samba3.

--

-- 
Simo Sorce    -  idra <at> samba.org
Samba Team    -  http://www.samba.org
Italian Site  -  http://samba.xsec.it
Permalink | Reply | 13 comments |
headers
Luke Kenneth Casson Leighton | 1 Jun 2004 13:09
Favicon

Re: se-samba

On Tue, Jun 01, 2004 at 11:23:14AM +0200, Simo Sorce wrote:
> On Tue, 2004-06-01 at 01:29, Luke Kenneth Casson Leighton wrote:
> >  can i recommend - tridge, others - that you give serious
> >  consideration to writing an experimental samba 4 "NTVFS"
> >  SMB proxy client plugin?
> 
> That was the first VFS available for samba4, it has been used happily
> for many months now. And it's not that much experimental, it works
> really well and made a great job into finding out many errors in the
> core of samba4 and also samba3 handling of operations.

 brilliant!  excellent!

 that's actually _really_ good news.

 okay, so now it is possible to use that as the front-end for
 se-samba(4), and to run against a samba(3) server as the back-end!

 GREAT.

 okay, got a question for you.

 how does the samba4 smb client VFS proxy handle multiple
 TConX's over the same SMBsessionX?

 does it:

 a) try to multiplex them onto the same smb client connection?

 b) create a NEW smb client tcp connection over to the back-end
(Continue reading)

Permalink | Reply | 12 comments |
headers
Faisal Nasim | 1 Jun 2004 13:31

Email address has changed [auto-generated]

[ This is an automatically generated message ]

Hey there!!

Due to excessive amounts of spam, I've closed this mailbox! My email has changed to WHIZKID <at> NASIM.ORG

Please email me there!

Thank you.

Regards,

Faisal Nasim

P.S. This email is sent to everyone who sends a message at faisal <at> nasim.org. If you didn't send a message,
please check your system for viruses.
Permalink | Reply | 0 comments |

Gmane