lsa policy handle

[Jean Francois Micouleau]

On Thu, 29 Nov 2001, Rafal Szczesniak wrote:

> > As on samba we don't have nested groups, and as I don't want to add yet
> > another "lsa admin" param to smb.conf, that would be not fine grained
> > enough, I'm stuck with adding either 3 or around 25 privileges to the
> > group mapping code.
>
> sounds like a new tdb ?
> 'lsa admin' param is certainly not the best idea :)

a new tdb is not required. The new group mapping code in HEAD has all the
infrastructure to store privileges now. I need to work on the tdbsam user
backend to add privileges to users too.

> > 3 is GENERIC_ EXECUTE|READ|WRITE and we can emulate correctly an NT box.
> > GENERIC_EXECUTE is used in the Lsa Enum functions
> > GENERIC_READ is used in the Lsa Query functions
> > GENERIC_WRITE is used in the Lsa Set functions
>
> and which are the remaining ones ? or where can I find it with at
> least brief description ?

the remaining are subset of this ones, or more exactly GENERIC_xxx are
made from others bitmasks.

You should find all the informations in the MSDN, do a search on "LSA" or
"LsaOpenPolicy", should give you a starting point.

> > Or we go the full fine grained way, and for each Lsa function we have a
> > privilege. Btw that's what NT does, but you don't have access to it as you
> > can't change the default DACL !
>
> sounds yet more like a new tdb ? On the other hand it yields further
> degree of complexity of the code :(

oh no not at all a degree of complexity.

all I have to do is add something like:

	if(!se_check_privilege(p->current_user->token,  MINIMUM_NECESSARY_PRIVILEGE))
		return NT_STATUS_NOT_ENOUGH_PRIVILEGE;

at the beginning of each functions in srv_lsa_nt.c and srv_samr_nt.c

	J.F.