Archive for April 2009
lwio watch: Weeks 9, 10, 11 ending April 3rd , 2009
It has been a hectic three weeks and I haven’t been able to get to write a whole lot. I have been on the road quite a bit meeting with customers and I’d forgotten how busy things get on the road.
Anyway we’ve made huge strides ..
First, we’re dogfooding the SMB server on all our internal servers. We now have full security descriptor support in the Posix file system driver. Our first attempt was to write clean mapping functions from NT Security descriptors to Posix ACLs and vice versa, but we’ve settled to store native NT security descriptors as Posix file EAs. This allows us to quickly get the Windows MMC pieces to allow us to edit security descriptors.
Second, we now have a uniform access token model across the entire lwio “kernel”. What this means is that similiar to Windows ConvertAuthDataToToken function, we can pass in authorization data from an underlying security mechanism (in the case of the SMB server at session setup time) and create a generic lwio token that now holds the authentication state for the connection. This is now one of the parameters passed to IoCreateFile to the posix driver when creating/opening a handle to a(n) new/existing file managed by the posix driver. This access token model is a generic model common across all Likewise protected subsystems.
Brian Koropoff has finished asynchronous semantics in the lwmsg layer. What this means is that from “user space” to “kernel space”, we can support system calls with overlapped I/O semantics. Thus an NtCreateFile or a NtConnectNamedPipe call can immediately return back to the calling process, and when the “kernel” has data to indicate we can signal an event in the “user-mode” calling process. This was necessary because without this asynchronous behavior, each named pipe RPC server would be plumbing a ConnectNamedPipe call which would be consuming one blocking thread. This way, all named pipe RPC servers will be able to support asynchronous semantics. Huge piece of work.
The biggest piece of work left and we’ve made great progress on is the refactoring of our local authentication database in preparation of our lsarpc, netlogon, samr RPC server. I’m going to write a separate post on that. This is our SAM for Linux strategy.
The posix virtual file system has support for alternate data streams. I should clarify: the smb server will pass requests to the posix virtual file system driver which can implement them in a variety of ways: we can create a hidden directory where the additional data streams are stored as separate files. Alternatively, if the underlying file system has native support for alternate data streams, the posix virtual file system driver can support that.
Two weeks from now is Samba XP: I’m looking forward to this trip to Gottingen. It has become a yearly event and a greate time to meet with people.
Thanks for reading!
