User database
Luke Kenneth Casson Leighton
lkcl at samba-tng.org
Wed Mar 14 12:40:44 GMT 2001
On Wed, 14 Mar 2001, Sander Striker wrote:
> > > Luke seems to believe the best way to go is to reimplement the entire
> > > daemon for every backend.
> >
> > entire? no: everything but the low-level common routines. i assumed that
> > people would know what i meant by low-level common routines: see other
> > reply for that.
>
> We can just put a 'template' samrd in the repository. Makes it easier to
> implement different instances, since you only have to fill in callback
> functions.
good idea.
it should probably include the calls to se_access_check or equiv, where
you have to "fill in" the means to obtain the security descriptor to use,
off of your back-end db. with a proviso saying that you don't _have_ to
use these se_access_check functions, you can do your own!
btw: time to cross-post to samba-technical, about that. for tdb, andrew
and i, back in.... march 2000, worked out a really good api: tdbsec.c.
the principle was that you prepend "SEC-" to the key, and store a security
"blob" under that extra keyname.
you must also provide, to the TDB_SEC_CTXT, a "blob-interpreting"
function.
when performing any operation, for which we had to add TDB_MODIFY to get
the full list of operations needed, the key is prepended with "SEC-", the
blob obtained under that extra key, and this is passed to the
"blob-interpreting" function, along with the type of operation (mod, get,
insert, delete).
pretty neat. liked it a lot. really enjoyed working with andrew on it.
...now that i think about it, the only thing missing was an extra "user
input" blob which would need to be passed into the "blob-interpreting"
function.
in the example where that function is "se_access_check" or a wrapper
around it to convert TDB ops to NT-sec-access permissions, then the extra
"user input" blob is the current NT-user security context. and the "blob"
under the keyname "SEC-"xxxx is the NT security descriptor.
luke
----- Luke Kenneth Casson Leighton <lkcl at samba-tng.org> -----
"i want a world of dreams, run by near-sighted visionaries"
"good. that's them sorted out. now, on _this_ world..."
More information about the samba-technical
mailing list