Hello all,
we use SAMBA to serve AFS files to our MS Windows computers. This
usually works well, but I sporadically got complaints from
users of out NT Terminal Server (a multiuser WINDOWS NT machine)
that they could no more access their AFS files after a while.
(Normal token expiry is not the reason).
Btw, this is samba v2.0.6, the OS is Tru64 v4.0D, AFS is v3.5.
In order to investigate this phenomenon, I instrumented the SAMBA
smbd daemon to log the UNIX groups and the tokens. This is what
I learned:
If two users concurrently use the same SAMBA server from the
same (NT Terminal Server) client, but with different user
logins, they are both served by the same server process.
In order to do this, smbd (running with RUID=0) switches the
euid and the UNIX groups according to the connection currently
being used. Here is an illustration:
user1 connects to smbd and authenticates
smbd sets EUID according to user1
does initgroups, thus establishing the usual list of
UNIX groups
invokes ka_UserAuthenticateGeneral(
KA_USERAUTH_VERSION+KA_USERAUTH_DOSETPAG,...)
which creates a new PAG, associates an AFS token with it,
and adds two new groups to the list.
smbd then determines the EUID and the group list (with getgroups(2))
and stores them in a structure associated with the user1 connection.
user2 connects to smbd and authenticates
smbd determines the EUID and group list like above, thereby creating
a new PAG with an AFS token for user2.
user1 issues a SMB request
smbd sets the EUID and groups according to the information associated
with the user1 connection. Since this restores also the GIDs
that determine the PAG, the smbd process (usually) has now
the AFS token for user1 and can serve the request.
However, sometimes, the token seems to be lost. Unless I overlooked
it, smbd never intentionally forgets a token.
Thus, my question to the AFS experts: Is the above method a supported
way to switch PAGs? Or could the cache manager perhaps destroy a
credential structure when it determines that no process is actually
associated with it?
There is another potential issue with this method for switching user contexts:
according to my tests, the krbtgt token is not associated with the PAG.
So, in the above scenario, when user2 authenticates, the krbtgt token
for user1 is overwritten, and when the SMB request for user1 is served,
smbd has the krbtgt for user2. Since smbd does not make any use of
this token, I assume that this is not a security problem. Am I right here?
Regards,
Hans
--
Hans Ranke [EMAIL PROTECTED]
Lehrstuhl fuer Institute for
Entwurfsautomatisierung Electronic Design Automation
Technische Universitaet Muenchen, Germany
Phone +49 89 289 23660 Fax +49 89 289 63666
