lsa policy handle

Rafal Szczesniak mimir at spin.ict.pwr.wroc.pl
Thu Nov 29 04:06:01 GMT 2001 

On Thu, 29 Nov 2001, Jean Francois Micouleau wrote:

> Up until now we didn't have a need to check the desired_access and who was
> the user doing the open_policy(). As all the lsa functions we had were
> only 'read' functions.

Not necessarily. As you mention further, there're also some 'execute'
functions. However, there's no purely 'write' ones like LsaSetSecret.

> since I have added some 'write' functions, we now need to check.
> Tim, that's like the spoolss_open_printer() call.
>
> The problem I have is simple: basically on NT you have an SD (or a DACL
> doesn't make a difference) attached to the LSA process. The DACL contains:
> - (WORLD, GENERIC_EXECUTE)
> - (SYSTEM, POLICY_ALL_ACCESS)
> - (admins alias, GENERIC_FULL)
>
> and you can't change that DACL, it's hardcoded somewhere (or maybe stored
> in the registry doesn't matter).
>
> As on samba we don't have nested groups, and as I don't want to add yet
> another "lsa admin" param to smb.conf, that would be not fine grained
> enough, I'm stuck with adding either 3 or around 25 privileges to the
> group mapping code.

sounds like a new tdb ?
'lsa admin' param is certainly not the best idea :)

> 3 is GENERIC_ EXECUTE|READ|WRITE and we can emulate correctly an NT box.
> GENERIC_EXECUTE is used in the Lsa Enum functions
> GENERIC_READ is used in the Lsa Query functions
> GENERIC_WRITE is used in the Lsa Set functions

and which are the remaining ones ? or where can I find it with at
least brief description ?

> Or we go the full fine grained way, and for each Lsa function we have a
> privilege. Btw that's what NT does, but you don't have access to it as you
> can't change the default DACL !

sounds yet more like a new tdb ? On the other hand it yields further
degree of complexity of the code :(

> and now the fun is: I can replace LSA by SAM and duplicate this long and
> boring message.

I didn't check how does it look like with SAM, but I'm not surprised
:-)


cheers,
+--------------------------------------------------------+
|Rafal 'Mimir' Szczesniak <mimir at spin.ict.pwr.wroc.pl>   |
|*BSD, Linux and Samba                                  /
|______________________________________________________/

More information about the samba-technical mailing list