I recently looked at Samba AFS support, and have a few questions.
1) With the fake-kaserver support, is there a technical reason why
setpag() isn't called before sending the AFS token? (i. e. something
like "syscall(SYS_afs_syscall, AFSCALL_SETPAG)" just before the settok
call in afs_settoken.c; see attached patch) I did a bit of testing with
this patch, and had no problems. I don't know enough about afs to say
whether or not this causes a leak somewhere, though.
2) Is the vfs_afsacl module being worked on? Since it has a 2003
copyright, and I had to make a few changes to make it do anything
useable at all (mainly stripping out domain names from IDs; see attached
patch), I would assume not. If not, is there another simple way for
Windows users to edit ACLs without requiring a full AFS installation?

Mon, Jan 23, 2006 at 09:49:51AM -0500, Thomas J. Moore wrote:
1) With the fake-kaserver support, is there a technical reason why
setpag() isn't called before sending the AFS token? (i. e. something
like "syscall(SYS_afs_syscall, AFSCALL_SETPAG)" just before the settok
call in afs_settoken.c; see attached patch) I did a bit of testing with
this patch, and had no problems. I don't know enough about afs to say
whether or not this causes a leak somewhere, though.

We can't use PAGs because smbd has to cope with multiple users on a single
connection. In standard setups this might not be necessary, but once you have
terminal servers around you can't use PAGs, as smbd has to transparently su -
to the different users. All the users of this I've seen so far at least
potentially had terminal servers.

2) Is the vfs_afsacl module being worked on? Since it has a 2003
copyright, and I had to make a few changes to make it do anything
useable at all (mainly stripping out domain names from IDs; see attached
patch), I would assume not. If not, is there another simple way for
Windows users to edit ACLs without requiring a full AFS installation?

I'll look at your patch, thanks. Not immediately, but it will stick in my inbox
:-)

Volker

PGP SIGNATURE
Version: GnuPG v1.2.5 (GNU/Linux)

05nqBrMWKLABYBy0sUl7SqE=
=krHD
PGP SIGNATURE

Mon, 23 Jan 2006, Volker Lendecke wrote:

Mon, Jan 23, 2006 at 09:49:51AM -0500, Thomas J. Moore wrote:
>1) With the fake-kaserver support, is there a technical reason why
>setpag() isn't called before sending the AFS token? (i. e. something
>like "syscall(SYS_afs_syscall, AFSCALL_SETPAG)" just before the settok
>call in afs_settoken.c; see attached patch) I did a bit of testing with
>this patch, and had no problems. I don't know enough about afs to say
>whether or not this causes a leak somewhere, though.
>
We can't use PAGs because smbd has to cope with multiple users on a single
connection. In standard setups this might not be necessary, but once you have
terminal servers around you can't use PAGs, as smbd has to transparently su -
to the different users. All the users of this I've seen so far at least
potentially had terminal servers.

I don't think this is completely true. We use setpag() with our terminal
servers. However, they will only work if the MS hotfixes are applied. The
fixes turn off the userid multiplexing.


>2) Is the vfs_afsacl module being worked on? Since it has a 2003
>copyright, and I had to make a few changes to make it do anything
>useable at all (mainly stripping out domain names from IDs; see attached
>patch), I would assume not. If not, is there another simple way for
>Windows users to edit ACLs without requiring a full AFS installation?
>
I'll look at your patch, thanks. Not immediately, but it will stick in my inbox
:-)

Volker

Mon, Jan 23, 2006 at 10:19:08AM -0700, Steve Holstead wrote:
I don't think this is completely true. We use setpag() with our terminal
servers. However, they will only work if the MS hotfixes are applied. The
fixes turn off the userid multiplexing.

Yes, you can turn multiplexing off. I'm a bit afraid of activating that however
because the protocol still allows multiple user ids over that socket, and we
could not fulfil the corresponding requests properly. I'd be happy to do it
with a parameter that defaults to no.

Volker

PGP SIGNATURE
Version: GnuPG v1.2.5 (GNU/Linux)

cGAgwNNyRQfhjDguXCvx27Q=
=358U
PGP SIGNATURE

01/23/2006 01:52 PM, Volker Lendecke wrote:

Mon, Jan 23, 2006 at 10:19:08AM -0700, Steve Holstead wrote:

>
>>I don't think this is completely true. We use setpag() with our terminal
>>servers. However, they will only work if the MS hotfixes are applied. The
>>fixes turn off the userid multiplexing.
>>
>>
>
>>
>
>Yes, you can turn multiplexing off. I'm a bit afraid of activating that however
>because the protocol still allows multiple user ids over that socket, and we
>could not fulfil the corresponding requests properly. I'd be happy to do it
>with a parameter that defaults to no.

Sorry I brought it up -- I see now that it was already in the bugzilla
database (#1971 resolved/wontfix). I do think that adding a run-time
option is a good idea, but I don't think requiring users to patch their
systems and/or set an obscure registry entry is the best route. I was
going to suggest switching pags when switching user IDs, but the API to
do that is not exposed (although it might be possible using similar code
to afs_{set,get}pag_val, if the pag gc doesn't interfere). I suppose
making samba spawn a process for different users even when managing a
single connection would be too much to ask. A few things that might be
nice, though, would be to actually document the "afs token lifetime"
option in the smb.conf man page (bug #2151 was closed w/o docs), and if
the run-time setpag option is added, perhaps also explicitly unlog on
connection termination rather than rely on the gc or token lifetime
(unlog would obviously only work with setpag).

Mon, 23 Jan 2006, Thomas J. Moore wrote:

I was going to
suggest switching pags when switching user IDs, but the API to do that is not
exposed (although it might be possible using similar code to
afs_{set,get}pag_val, if the pag gc doesn't interfere).

I like this idea, if it is possible. I am concerned that there comes a
time when someone will insist that mutiplexing be supported and we AFS
users are faced with a problem