When afs tokens are inserted into the kernel, they are inserted into a pag.
There is usualy one pag per user, but new pags can be created for the current
process by calling AFSCALL_SETPAG.
Since smbd is run as root all users currently share the same pag. This means
that all users will use the tokens installed for the last authenticated user.
This is probably not desired, and basicly renders the afs support unusable in a
My patch fixes this by creating a new pag before installing the token into the
Created attachment 745 [details]
Patch for new pag in afs_settoken()
I am preparing to deploy Samba with AFS support into a medium size environment 12k+ users and
during my testing started having random unexplained behavior. After applying this patch 99% of my
problems have been eliminated. Would it be possible to get this patch added to the next Samba
I don't think this is correct, as smbd needs to be able to act as different users.
Think of a connection coming from a terminal server, multiple users coming in to
the same smbd. What probably needs to be done if you really need a new PAG would
be to do a getgroups right after the setpag() call, and add the pag groups to
the current_user struct.
Closing this bug, feel free to re-open it if you have more comments or an
expanded patch that addresses the multi-user smbd issue.
Mattias patch is correct.
To make the problem happy for you with an unpatched server do like this:
start samba server inside PAG
Not, there are no way to leave the PAG once you enterd it. That they reason
you have to create a new pag for each user.
When you say that samba needs to be diffrent users, I assume you are talking
about root and the user currently logged in. Given that tridge have expressed
his hate for threads, I wouldn't think that running several users (ie threads)
inside the same smbd would be a problem, certenly not for samba3.
There tools, like sshd,telnetd and login that will give the user a PAG
unconditionally. This is a real issue. Please deal with it.
We are running with mattias patch with 5 terminal servers and 500+ workstations
loadshared over 3 samba servers using DFS with no ill effekt. Not using Mattias patch
make our sysadmin always shot themself in their feet.
If you still think you have issue with the patch, feel free to talk to me on irc
or I can call you if you leave me a phone number and we can talk about the issue.
Hmmm. smbd has to seteuid() to user1, come back to root and then seteuid() to
user2 and be able to switch between both. Sorry for my possible
misunderstanding, but does the unconditional SETPAG call handle this correctly?
> Mattias patch is correct.
maybe this was a little bit too strong.
Mattias patch makes the world much better, even though its slighly wrong.
More information, you currently can't join a pag at will by using setgroups.
You are stuck in it, and you can only get a new PAG, or exit.
(In reply to comment #5)
> Hmmm. smbd has to seteuid() to user1, come back to root and then seteuid() to
> user2 and be able to switch between both. Sorry for my possible
> misunderstanding, but does the unconditional SETPAG call handle this correctly?
No, you are correct, however, if you already are in a pag when entering smbd
not calling SETPAG will make you loose horribly from the users view with random errors.