New group mapping and the auth subsystem
Jean Francois Micouleau
Jean-Francois.Micouleau at dalalu.fr
Sat Dec 1 14:58:02 GMT 2001
On Sun, 2 Dec 2001, Andrew Bartlett wrote:
> Yes, I'm interested in the account policy stuff, and I'll look into
> adding that kind of thing to the sam_account_ok checks, but I think you
> miss my point.
ok.
> If I want to conduct a privileged action on the server (like adding a
> machine account, changing a share's properties), when (and how) will it
> be checked that I have the privileged to conduct this operation?
in the rpc lsa|samr|spoolss open call first to check against the desired
access.
and next in each rpc call.
> And when is the privileges list for this check calculated? (The
> NT_USER_TOKEN).
>
> This token needs to be generated at some point.
The NT_USER_TOKEN is already generated. I talk to jeremy 2 days ago and he
agreed with some changes I want to make to it.
> Furthermore, this token (or its constituent parts) is not always
> generated by the group mapping code, but can be generated by the PDC,
> and passed to a domain member by means of a PAC or an info3 in a
> samlogon reply.
wrong. A token is valid only on the machine it has been generated.
As are the privileges valid only on the machines they are defined.
check MSDN, it's documented.
> This token needs to be carried from the authentication backend (where we
> get it, by hook or by crook) into the rest of samba where it can be
> associated with a user when they request these actions.
you're mixing authentication and autorisation. The authentication backend
has nothing to do with generating an autorisation token ! I'm working on
the TOKEN stuff right now.
> The reason I want to do it like this is because if follows the model NT
> uses very closely, and it makes maximum use of the available
> information. Much of my work in the auth subsystem has been aimed at
> simply *not* throwing away information if we can avoid it.
>
> In any case, how did you propose obtaining this privilege information
> from the DC (given samba as a member server)?
you can't get them from DCs. They are local.
J.F.
More information about the samba-technical
mailing list