[illumos-Developer] [REVIEW] 1121 smbsrv should use SPNEGO (outbound authentication)
Albert Lee
trisk at opensolaris.org
Fri Jun 17 07:21:10 PDT 2011
On Fri, Jun 17, 2011 at 9:44 AM, Gordon Ross <gordon.w.ross at gmail.com> wrote:
> On Fri, Jun 17, 2011 at 8:36 AM, Albert Lee <trisk at opensolaris.org> wrote:
>> Some observations, although this looks correct as it is:
>
> Thanks for having a look.
>
>> usr/src/lib/smbsrv/libmlsvc/common/dssetup_clnt.c:91: Don't need to
>> bzero here, dssetup_get_domain_info clobbers it.
>
> OK. The previous code had that. I mostly reverted that to
> an earlier revision. Not sure that's worth changing...(?)
>
Probably not.
> Just wanted to get rid of mlsvc_echo, which would be
> somewhat harder to implement with libsmbfs/netsmb.
>
>> usr/src/lib/smbsrv/libmlsvc/common/smbrdr_glue.c:65: Only
>> smbrdr_logon() caller remaining is SMB_DR_JOIN ... ->
>> smbd_join_domain->mlsvc_join. That could be replaced with direct usage
>> of smbrdr_ctx_new() and passing the ctx around.
>
> Yes I could, but I'd prefer to keep the knowledge of the
> smb_ctx thing restricted to the mlsvc_glue.c code.
>
It's already exposed to libmlsvc since ndr_rpc_bind uses it. You could
inline the smbrdr_login block in mlsvc_join and have a smb_ctx used
only within the scope of mlsvc_join.
> A better way to deal with the smb_ctx stuff would be to
> keep a "net use" table* somewhere, preferably in the
> code that manages connections to AD servers.
> (* A "net use" table is a Windows concept. It's a
> list of all your "connected trees", a.k.a mounts.)
> In Windows, the "netlogon" module does this job.
> It needs keep track of connections to AD servers
> for each "domain of interest" anyway.
>
> We don't have a real netlogon module yet. (Well,
> we sort of do, but it's kind of spread around...)
> I do plan to work on that, but it may be a while.
>
That sounds good.
>> usr/src/lib/smbsrv/libmlsvc/common/smbrdr_glue.c:118: ndr_rpc_bind()
>> is passed the username MLSVC_ANON_USER ("IPC$") in a couple of
>> places, also whatever is returned by mb_ipc_get_user().
>
> Thanks. I guess I could change those, or just remove the
> XXX comment.
>
You'd probably know better than I why MLSVC_ANON_USER exists if you
always have to replace it with the empty string.
-Albert
More information about the Developer
mailing list