Samba under Coherant and Macintosh

Todd Sabin tastas at
Tue Dec 21 17:32:39 GMT 1999

Luke Kenneth Casson Leighton <lkcl at> writes:
> On Sun, 19 Dec 1999, Jean Francois Micouleau wrote:
> > 
> > I don't think so. You need only to check in the "open handle functions".
> > NT will try the different info levels only if you allowed it to do so in
> > the reply to the open handle function.
> unfortunately not, jean-francois.  "open handle" functions are where it
> starts.
> SamrConnect("\\PDC", SEC_ACCESS_MAXIMUM_ALLOWED, &pSamHnd)
> SamrOpenDomain(pSamHnd, S-1-5-32, SEC_ACCESS_READ_ONLY, &pDomHnd)
> SamrOpenDomain(pSamHnd, S-1-5-32, SEC_ACCESS_MAX_ALLOWED, &pDomHnd2)
> each open call is checked against the permissions requested and the user
> security context.
> the requested permissions are associated with the handle returned
> (SEC_ACCESS_MAXIMUM_ALLOWED with pSamHnd) _if_ allowed.

MAXIMUM_ALLOWED is a bit special; instead of having that bit
associated with your handle, you get whatever permission bits you're
entitled to.

> in the case of the SamrOpenDomain, the permissions
> SEC_ACCESS_MAXIMUM_ALLOWED are ANDed with the requested permissions (for
> the first call, SEC_ACCESS_READ_ONLY) before proceeding.  this can result
> in zero bits being set, therefore can result in an instant "access
> denied".

I may be misunderstanding what you're saying here, but it sounds like
you're saying that the SamrOpenDomain call is checking that the perms
you're requesting for the pDomHnd is a subset of the ones you received
in the SamrConnect call.  If so, that's not correct.  In general, the
way these things work are that when you do some operation on a handle,
there's a check for whether the handle has been granted the necessary
permission(s) for that operation.  In the case of SamrOpenDomain, you
need to have been granted the SAMR_OPEN_DOMAIN permission in your
pSamHnd handle.  

For 'open' type calls, there's also a check that you're allowed the
permissions you're asking for on the object you're trying to open.
(as you mention next...)

> assuming that it doesn't result in zero bits set, you can then check the
> remaining permissions against the type of Open call, and then return a
> handle associated with the permissions allowed.

> _then_ you may receive calls such as SamrEnumDomUsers(&pDomHnd, ...)  and
> for each type of call:
> - read
> - write
> - enumerate
> we need to creaate a security descriptor.  in the SamrEnumDomUsers
> example, it would have an ACL entry:
> "Everyone" is granted "SEC_ACCESS_ENUMERATE".
> _except_ if we decide to implement "RestrictAnonymous", in which case this
> changes to:
> "Authenticated Users" is granted "SEC_ACCESS_ENUMERATE".
> "Everyone" is denied access.
> .. or something of the sort, in order to deny anonymous users the right
> to enumerate domain users.

Note that on NT, the SD isn't associated with a call, per se.  There's
actually an SD for each and every object in the SAM.  That includes
the SAM itself, the Builtin and Account domains, and every alias,
group, and user within them.  I don't think samba has a way of storing
these currently, but you may want to allow for this in the future.


More information about the samba-technical mailing list