From: SMTP%"RELAY-INFO-VAX@CRVAX.SRI.COM" 13-MAY-1994 11:42:18.74 To: EVERHART CC: Subj: Re: VMS and NT comparisons From: jhs@banting.wimsey.bc.ca (Jim Stewart) X-Newsgroups: comp.os.ms-windows.nt.misc,comp.os.vms Subject: Re: VMS and NT comparisons Message-Id: Date: Mon, 9 May 94 13:33:50 -0800 Organization: Running Dog Software Lines: 78 X-Newsreader: Helldiver 1.07 (Waffle 1.65) To: Info-VAX@CRVAX.SRI.COM X-Gateway-Source-Info: USENET In davehart@eskimo.com (David Hart) writes: >Harvey Brydon (918)250-4312 (brydon@dsnvx1.tulsa.dowell.slb.com) wrote: >: In article <2qhgks$kh8@jac.zko.dec.com>, winalski@gemcil.enet.dec.com (Paul S. >: Winalski) writes: >: [Harveys comparison between FAL and the NT Server authentication, deleted] >The file server is called simply the "Server", and consists of two parts. >A user-mode portion runs as part of lmsvcs.exe and the meat is in srv.sys. >There are *no* processes or threads created on the remote machine to share >files on the network -- it's done using interrupt-time processing to get >things started and IO system threads to clean up. Most of the processing >happens in kernel mode, either as the result of an incoming request >immediately turned around to the appropriate filesystem, or as a result >of the completion of an earlier I/O request. Interesting... For the VMS crowd, this is like the "internal IRP mechanisim" used by MSCP server, DECnet and PSI. Think of the User mode NT Server service and the Service Control Manager as NETACP. It is also interesting to contrast the Server Service with the ftp service. >: >But I believe that you *can* have processes running under several different >: >accounts running at the same time. That's the same as having multiple users >: >logged in, particularly if those processes are talking to interactive client >: >applications running elsewhere on the network on the PC that the user's sitting >: >in front of. Like ftp? >: In NT, you can have File Manager ("FAL") connections from multiple sources, >: but rather than VMS' model that creates one or more processes for each >: connection, I think NT has one system-wide process that does the validation >: itself. I challenge the statement that a FAL-like connection is the same as >: being logged in interactively. I don't think I ever said it was the SAME AS being logged in interactivly. I think it is BETTER than being logged interactivly. Harvey is correct saying that VMS creates a Process to handle a file access request. A whole process: with a virtual address space, an initialized XQP, logical name tables, the whole shebang... just because I typed DIR NODE::[jhs]*.lis, and the service is single threaded to boot. VMS does it this way because it has to. The entity that represents a user in a VMS system is the process. Processes hold privs. and rights identifiers, and security checks are made against processes. NT represents a subject with a token, and a token can be bound to a thread. This is like being able to specify the security context that an AST prodecure will run under, and is an Extreamly Good Thing. As David points out, the LANMAN Server does not use (or need) a seperate thread per user session. Other services certainly can and do use thread impersonation. >You should check out SQL Server and throw away some of your host/terminal >assumptions before assuming that if it's not a terminal it's not >multiuser. When using a SQL Server client, all the substantial work is >being done on the server on a thread logged in as the client. The single >SQL Server process has 1 thread for each client, each logged in as a >different user and therefore with different access to database objects >*as well as* filesystem objects via SQL Server (such as ordering a dump >to a file which you don't have access to). This is really the way of the >future, as each client deals with its user interface and only shares the >portion of the processing that really needs to be shared. Yup, it is the way of the future. Unfortunatly, the future is still a little way off. The impersonation api only works currently for NetDDE and Named Pipes. In particular, it ain't there for sockets, or RPC over sockets. DCE servers still see NT clients as unauthenticated... " t'will be fixed in a future release" i am sure :) js who_still_like_VMS_sort_of-:) -- Jim Stewart Home: jhs@banting.wimsey.bc.ca Work: jstewart@cgooa.enet.dec.com