Re: Non-UNIX permission models (resent)

On Thu, 29 Sep 2005 16:25:47 +0200
Andreas Gruenbacher <agruen <at> suse.de> wrote:

> Very briefly put, I believe that we need a few small change at the VFS 
> (virtual filesystem) layer, and with those, the CIFS and other permission 
> models can be implemented at the low-level filesystem layer relatively 
> easily. I'm thinking of allowing the user to choose a permission model per 
> mount.

To be honest I'm not clear about what you're trying to do but it seems
to me this would only help with maybe the SACL whereas I don't see a
terrible problem with just storing the DACL using xattrs.

Actually permissions are only half the problem if you can only check
them against a uid and some gids. Meaning, Linux could greatly benfit
from a more sophisticated *security context*. We need something to store
credentials. This would aleaviate a lot of the desktop annoyances like
keychains, ssh-agent, and sudo but it would also assist with server
implementations.

Specifically, there could be partially opaque credential and principal
types. Then a list of credentials can be associated with the process
constituting the Kernel Security Context for a process. Userspace
programs can then employ the kernel to perform access checks, retrieve
shared secrets, etc. Modules could implement the different credential
types. The userspace / kernelspace transfer might be as simple as doing
GSSAPI over an AF_LOCAL socket (like SCM_CREDENTIALS).

Just a thought,
Mike

Re: Non-UNIX permission models (resent)

On Thu, 2005-09-29 at 16:25 +0200, Andreas Gruenbacher wrote:
> Hello,

> (It seems that the VFS could provide a CIFS permission model implementation 
> that only uses extended attribute inode operations, so multiple filesystems 
> could use the same implementation rather than having to duplicate the same 
> code, even though logically it would be a filesystem-level feature. This is 
> similar to how the current permission inode operation works.)

This is the key point, I certainly do not want to see a world where
NTACLS are a bolt on to ext3, but not tmpfs, and reiser but not xfs.  It
would cause mayhem in the userbase.  Much easier to manager is 'FS must
support extended attributes', which we seem to be getting thanks to the
SELinux push.

Likewise it would be a nice bonus if the CIFS VFS just passed the NT ACL
right to the target server, even if I currently disagree with the way
the enforcement is done (locally).

Andrew Bartlett

--

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

[PATCH] fire multiple connects at the same time

Hi!

My NT4PDC gives me a timeout before either rejecting or accepting a tcp
connection, no idea why. The attempt to first connect 445 doubles that
timeout, so I thought I might write a little function that fires two
connections at once.

It has taken much longer than I thought (look at the timestamp of this
mail...), but I think now it works. I can now see why abartlet says that the
composite stuff makes his head spin. But it's a good excercise for winbind
which needs it much more: connect to all dcs at the same time.

I'm not committing it because it's so late....

Thanks,

Volker

Index: winbind/wb_samba3_cmd.c
===================================================================
--- winbind/wb_samba3_cmd.c	(Revision 10675)
+++ winbind/wb_samba3_cmd.c	(Arbeitskopie)
 <at>  <at>  -164,7 +164,8  <at>  <at> 
 	cli_credentials_set_conf(state->conn->in.credentials);
 	cli_credentials_set_anonymous(state->conn->in.credentials);

-	ctx = smb_composite_connect_send(state->conn, s3call->call->event_ctx);
+	ctx = smb_composite_connect_send(state->conn, state,
+					 s3call->call->event_ctx);

talloc hierarchy / async stuff?

Hi!

Attached find a patch that is half-way to get the machine account checking
done. (wbinfo -t). Not fully pretty yet, but it gets through to the
reqchallenge, doing the auth2 should be just cut&paste from somewhere else..

I've got some problem here though. If you patch the current samba4 and look at
wb_samba3_cmd.c:104, I have to hang the dcerpc pipe to "somewhere else", where
it sticks.

If I don't do that, I seem to have some recursion due to half-asyncness of the
dcerpc closing.

I'd like to just drop the pipe when the winbind client ends. What I see on the
command line is a varying number of

single_terminate: reason[NT_STATUS_END_OF_FILE]

that seems to come from the wbsrv receiving event handler called from the
inner loop of the pipe destructor. If I talloc_free() the pipe at that point I
get segfaults for similar reasons.

How should I correctly close the pipe when the client has ended?

This mail is maybe not too exact, it would probably be best if someone has
some experience with the async stuff could just run it. I'll be on irc
tomorrow (Monday, 3.10.).

Volker

Re: talloc hierarchy / async stuff?

On Mon, Oct 03, 2005 at 01:47:31AM +0200, Volker Lendecke wrote:

> Attached find a patch that is half-way to get the machine account checking
> done. (wbinfo -t). Not fully pretty yet, but it gets through to the
> reqchallenge, doing the auth2 should be just cut&paste from somewhere else..

Just found that I had forgotten to "svn add" a file.

New patch attached.

Volker

Index: winbind/wb_samba3_cmd.c
===================================================================
--- winbind/wb_samba3_cmd.c	(Revision 10677)
+++ winbind/wb_samba3_cmd.c	(Arbeitskopie)
 <at>  <at>  -32,6 +32,7  <at>  <at> 
 #include "libcli/composite/composite.h"
 #include "libcli/smb_composite/smb_composite.h"
 #include "include/version.h"
+#include "librpc/rpc/dcerpc_composite.h"

 NTSTATUS wbsrv_samba3_interface_version(struct wbsrv_samba3_call *s3call)
 {
 <at>  <at>  -77,11 +78,53  <at>  <at> 
 	return NT_STATUS_OK;
 }

+#define null_no_memory_done(x) do { \

Bug 2874 - Password change -- Wbinfo and Winbind allow BOTH OLD & NEW passwords to work..

One of our employees is seeing that BOTH old and new passwords work just
after he's changed his password on the domain...

<Change domain password on domain to which his Linux workstation is
joined>

wbinfo -a CORP+aglabek%<new password>

challenge/response password authentication succeeded

wbinfo -a CORP+aglabek%<old password>

challenge/response password authentication succeeded

wbinfo -a CORP+aglabek%<some random characters (bad password)>

challenge/response password authentication failed

Looks like this is the same as 2874. What additional information is
required to verify and squash this one?

Brian Moran

Centeris Corporation

15405 SE 37th St.     Bellevue, WA  98006

425-378-7887 

206-390-4376 cell

Re: Bug 2874 - Password change -- Wbinfo and Winbind allow BOTH OLD & NEW passwords to work..

On Mon, Oct 03, 2005 at 04:00:17PM -0400, Brian Moran wrote:
> One of our employees is seeing that BOTH old and new passwords work just
> after he's changed his password on the domain...
> 
>  
> 
> <Change domain password on domain to which his Linux workstation is
> joined>
> 
>  
> 
> wbinfo -a CORP+aglabek%<new password>
> 
> challenge/response password authentication succeeded
> 
>  
> 
> wbinfo -a CORP+aglabek%<old password>
> 
> challenge/response password authentication succeeded
> 
>  
> 
> wbinfo -a CORP+aglabek%<some random characters (bad password)>
> 
> challenge/response password authentication failed
> 
>  
> 
> Looks like this is the same as 2874. What additional information is

RE: Bug 2874 - Password change -- Wbinfo and Winbind allow BOTH OLD & NEW passwords to work..

Excellent! Log.wb-* as well as an ethereal dump has been uploaded. We
can duplicate this 100% of the time.

-----Original Message-----
From: Jeremy Allison [mailto:jra <at> samba.org] 
Sent: Monday, October 03, 2005 1:11 PM
To: Brian Moran
Cc: samba-technical <at> samba.org
Subject: Re: Bug 2874 - Password change -- Wbinfo and Winbind allow BOTH
OLD & NEW passwords to work..

>
>
>

Debug level 10 log from winbindd. I wonder if it's authenticating
against a pdc and bdc which haven't replicated yet, or it's password
history....

Jeremy.

Re: Bug 2874 - Password change -- Wbinfo and Winbind allow BOTH OLD & NEW passwords to work..

On Mon, 2005-10-03 at 13:11 -0700, Jeremy Allison wrote:
> On Mon, Oct 03, 2005 at 04:00:17PM -0400, Brian Moran wrote:
> > One of our employees is seeing that BOTH old and new passwords work just
> > after he's changed his password on the domain...
> > 
> >  
> > Looks like this is the same as 2874. What additional information is
> > required to verify and squash this one?
> 
> Debug level 10 log from winbindd. I wonder if it's authenticating
> against a pdc and bdc which haven't replicated yet, or it's password
> history....

That will be the bit to test, I'll see if I can add it to my
RPC-SAMLOGON test.

Andrew Bartlett

--

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

Re: Bug 2874 - Password change -- Wbinfo and Winbind allow BOTH OLD & NEW passwords to work..

On Tue, 2005-10-04 at 07:30 +1000, Andrew Bartlett wrote:
> On Mon, 2005-10-03 at 13:11 -0700, Jeremy Allison wrote:
> > On Mon, Oct 03, 2005 at 04:00:17PM -0400, Brian Moran wrote:
> > > One of our employees is seeing that BOTH old and new passwords work just
> > > after he's changed his password on the domain...
> > > 
> > >  
> > > Looks like this is the same as 2874. What additional information is
> > > required to verify and squash this one?
> > 
> > Debug level 10 log from winbindd. I wonder if it's authenticating
> > against a pdc and bdc which haven't replicated yet, or it's password
> > history....
> 
> That will be the bit to test, I'll see if I can add it to my
> RPC-SAMLOGON test.

I've added tests, and it appears that old passwords are valid for a
network login, but not a 'interactive' login.  Even weirder, the old
password logins do not return a session key...

Andrew Bartlett

--

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net