On Tue, 2005-04-12 at 17:07 -0700, Jeremy Allison wrote: > On Wed, Apr 13, 2005 at 08:13:34AM +1000, Andrew Bartlett wrote:
> > The reason we have not fixed this in the past is that session setups are > > usually a 'rare' event (compared with others), and we just have not seen > > (or considered) this race in the past. > > Yes that's true. I'm thinking of adding the vuid token behaviour into > Samba3 so we return something at the first sesssionsetup reply. However > we expect the subsequent packets to be continuous (we expect the next > packet to be the second part of the sessionsetup sequence, not a new > sessionsetup request). We could fix this with the out-of-order processing > we use for deferring opens, but it's nowhere near as transparent as it > is with Samba4. We should not need that - the NTLMSSP and SPNEGO code does not use piles of static variables, it's just the one context that is the problem. All you need to do is change 'global_ntlmssp_state' into something keyed off that VUID. See it's use in reply_spnego_negotiate() and reply_spnego_auth(). Just make sure you don't treat this new vuid as 'real' - I added a 'finished_sesssetup' flag on the VUID in Samba4, and use two different lookup functions, one for the rest of samba, and one for just the session setup. The next issue I need to tackle in Samba4 is that of resource consumption - too many half-completed NTLMSSP logins. But as we allow guest logins anyway, it's not much worse than can already be done. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
