external update policy support

tridge at samba.org tridge at samba.org
Sun Dec 5 00:46:25 UTC 2010

Hi Michael,

I've now added the ssu external update policy code that we discussed
yesterday, and added a test suite for it. This brings the total number
of patches to 18.

As usual, patches are here:


As we discussed, the external update policy allows for configurations
like this:

  update-policy {
	grant "local:/var/samba/bindauth.sock" external * A CNAME;

bindauth.sock is a unix domain stream socket. 

I decided to take the simplest path when implementing it by making
named reconnect to the socket on each access check. That means no
hassle with multiple threads accessing the socket, which also means we
gain parallelism. Doing some tests on my laptop I can get over 100k
connections per second with unix domain sockets, so I don't think the
cost of the connect matters much.

As you suggested, I've done this first version of the code using
synchronous socket IO, so the named thread that is doing this check
will block on the socket. I don't expect that will be a big problem in
practice, but we could think about making it async in a future

I've also extended the tsiggss testsuite to test the external update
policy. To support that I wrote a simple ssu server in perl (see
bin/tests/system/tsiggss/authsock.pl). That server can act as a sample
for people wanting to implement external update policies.

The most intrusive part of the patch set is the change to the dst_api
code to allow the ssu checkers access to the original key_data from
the TKEY query. This is needed because that is where the kerberos
ticket is, and the ticket contains the PAC, which is needed in order
to implement ACLs.

The external policy server gets access to all the fields it might need
to decide if a update should be allowed. It gets signer,  name,
address, type, key and key_data.

For simplicity of implementing servers I encoded all of the fields
expect the key_data in their string forms. This makes it trivial to
parse using things like unpack() in perl.

This patch will make it possible for Samba to properly check NT ACLs
in update requests. Hopefully it will be useful for other users too.

Where should the format of the request be documented? For now I've
just put a reference to the authsock.pl example in
Bv9ARM-BOOK.xml. Should I put the full request format in there? If so,
with what notation? 

Cheers, Tridge

More information about the bind-workers mailing list