New group mapping and the auth subsystem

Jean Francois Micouleau Jean-Francois.Micouleau at dalalu.fr
Sat Dec 1 14:58:02 GMT 2001 

On Sun, 2 Dec 2001, Andrew Bartlett wrote:

> Yes, I'm interested in the account policy stuff, and I'll look into
> adding that kind of thing to the sam_account_ok checks, but I think you
> miss my point.

ok.

> If I want to conduct a privileged action on the server (like adding a
> machine account, changing a share's properties), when (and how) will it
> be checked that I have the privileged to conduct this operation?

in the rpc lsa|samr|spoolss open call first to check against the desired
access.

and next in each rpc call.

> And when is the privileges list for this check calculated?  (The
> NT_USER_TOKEN).
>
> This token needs to be generated at some point.

The NT_USER_TOKEN is already generated. I talk to jeremy 2 days ago and he
agreed with some changes I want to make to it.

> Furthermore, this token (or its constituent parts) is not always
> generated by the group mapping code, but can be generated by the PDC,
> and passed to a domain member by means of a PAC or an info3 in a
> samlogon reply.

wrong. A token is valid only on the machine it has been generated.
As are the privileges valid only on the machines they are defined.

check MSDN, it's documented.

> This token needs to be carried from the authentication backend (where we
> get it, by hook or by crook) into the rest of samba where it can be
> associated with a user when they request these actions.

you're mixing authentication and autorisation. The authentication backend
has nothing to do with generating an autorisation token ! I'm working on
the TOKEN stuff right now.

> The reason I want to do it like this is because if follows the model NT
> uses very closely, and it makes maximum use of the available
> information.  Much of my work in the auth subsystem has been aimed at
> simply *not* throwing away information if we can avoid it.
>
> In any case, how did you propose obtaining this privilege information
> from the DC (given samba as a member server)?

you can't get them from DCs. They are local.

	J.F.

More information about the samba-technical mailing list