When afs tokens are inserted into the kernel, they are inserted into a pag. There is usualy one pag per user, but new pags can be created for the current process by calling AFSCALL_SETPAG. Since smbd is run as root all users currently share the same pag. This means that all users will use the tokens installed for the last authenticated user. This is probably not desired, and basicly renders the afs support unusable in a multi-user environment. My patch fixes this by creating a new pag before installing the token into the kernel.
Created attachment 745 [details] Patch for new pag in afs_settoken()
I am preparing to deploy Samba with AFS support into a medium size environment 12k+ users and during my testing started having random unexplained behavior. After applying this patch 99% of my problems have been eliminated. Would it be possible to get this patch added to the next Samba release?
I don't think this is correct, as smbd needs to be able to act as different users. Think of a connection coming from a terminal server, multiple users coming in to the same smbd. What probably needs to be done if you really need a new PAG would be to do a getgroups right after the setpag() call, and add the pag groups to the current_user struct. Closing this bug, feel free to re-open it if you have more comments or an expanded patch that addresses the multi-user smbd issue. Volker
Mattias patch is correct. To make the problem happy for you with an unpatched server do like this: pagsh start samba server inside PAG Not, there are no way to leave the PAG once you enterd it. That they reason you have to create a new pag for each user. When you say that samba needs to be diffrent users, I assume you are talking about root and the user currently logged in. Given that tridge have expressed his hate for threads, I wouldn't think that running several users (ie threads) inside the same smbd would be a problem, certenly not for samba3. There tools, like sshd,telnetd and login that will give the user a PAG unconditionally. This is a real issue. Please deal with it. We are running with mattias patch with 5 terminal servers and 500+ workstations loadshared over 3 samba servers using DFS with no ill effekt. Not using Mattias patch make our sysadmin always shot themself in their feet. If you still think you have issue with the patch, feel free to talk to me on irc or I can call you if you leave me a phone number and we can talk about the issue.
Hmmm. smbd has to seteuid() to user1, come back to root and then seteuid() to user2 and be able to switch between both. Sorry for my possible misunderstanding, but does the unconditional SETPAG call handle this correctly? Volker
> Mattias patch is correct. maybe this was a little bit too strong. Mattias patch makes the world much better, even though its slighly wrong. More information, you currently can't join a pag at will by using setgroups. You are stuck in it, and you can only get a new PAG, or exit.
(In reply to comment #5) > Hmmm. smbd has to seteuid() to user1, come back to root and then seteuid() to > user2 and be able to switch between both. Sorry for my possible > misunderstanding, but does the unconditional SETPAG call handle this correctly? No, you are correct, however, if you already are in a pag when entering smbd not calling SETPAG will make you loose horribly from the users view with random errors.