lsa policy handle
mimir at spin.ict.pwr.wroc.pl
Thu Nov 29 04:06:01 GMT 2001
On Thu, 29 Nov 2001, Jean Francois Micouleau wrote:
> Up until now we didn't have a need to check the desired_access and who was
> the user doing the open_policy(). As all the lsa functions we had were
> only 'read' functions.
Not necessarily. As you mention further, there're also some 'execute'
functions. However, there's no purely 'write' ones like LsaSetSecret.
> since I have added some 'write' functions, we now need to check.
> Tim, that's like the spoolss_open_printer() call.
> The problem I have is simple: basically on NT you have an SD (or a DACL
> doesn't make a difference) attached to the LSA process. The DACL contains:
> - (WORLD, GENERIC_EXECUTE)
> - (SYSTEM, POLICY_ALL_ACCESS)
> - (admins alias, GENERIC_FULL)
> and you can't change that DACL, it's hardcoded somewhere (or maybe stored
> in the registry doesn't matter).
> As on samba we don't have nested groups, and as I don't want to add yet
> another "lsa admin" param to smb.conf, that would be not fine grained
> enough, I'm stuck with adding either 3 or around 25 privileges to the
> group mapping code.
sounds like a new tdb ?
'lsa admin' param is certainly not the best idea :)
> 3 is GENERIC_ EXECUTE|READ|WRITE and we can emulate correctly an NT box.
> GENERIC_EXECUTE is used in the Lsa Enum functions
> GENERIC_READ is used in the Lsa Query functions
> GENERIC_WRITE is used in the Lsa Set functions
and which are the remaining ones ? or where can I find it with at
least brief description ?
> Or we go the full fine grained way, and for each Lsa function we have a
> privilege. Btw that's what NT does, but you don't have access to it as you
> can't change the default DACL !
sounds yet more like a new tdb ? On the other hand it yields further
degree of complexity of the code :(
> and now the fun is: I can replace LSA by SAM and duplicate this long and
> boring message.
I didn't check how does it look like with SAM, but I'm not surprised
|Rafal 'Mimir' Szczesniak <mimir at spin.ict.pwr.wroc.pl> |
|*BSD, Linux and Samba /
More information about the samba-technical