lsa policy handle
Jean Francois Micouleau
Jean-Francois.Micouleau at dalalu.fr
Thu Nov 29 05:11:23 GMT 2001
On Thu, 29 Nov 2001, Rafal Szczesniak wrote:
> > As on samba we don't have nested groups, and as I don't want to add yet
> > another "lsa admin" param to smb.conf, that would be not fine grained
> > enough, I'm stuck with adding either 3 or around 25 privileges to the
> > group mapping code.
> sounds like a new tdb ?
> 'lsa admin' param is certainly not the best idea :)
a new tdb is not required. The new group mapping code in HEAD has all the
infrastructure to store privileges now. I need to work on the tdbsam user
backend to add privileges to users too.
> > 3 is GENERIC_ EXECUTE|READ|WRITE and we can emulate correctly an NT box.
> > GENERIC_EXECUTE is used in the Lsa Enum functions
> > GENERIC_READ is used in the Lsa Query functions
> > GENERIC_WRITE is used in the Lsa Set functions
> and which are the remaining ones ? or where can I find it with at
> least brief description ?
the remaining are subset of this ones, or more exactly GENERIC_xxx are
made from others bitmasks.
You should find all the informations in the MSDN, do a search on "LSA" or
"LsaOpenPolicy", should give you a starting point.
> > Or we go the full fine grained way, and for each Lsa function we have a
> > privilege. Btw that's what NT does, but you don't have access to it as you
> > can't change the default DACL !
> sounds yet more like a new tdb ? On the other hand it yields further
> degree of complexity of the code :(
oh no not at all a degree of complexity.
all I have to do is add something like:
at the beginning of each functions in srv_lsa_nt.c and srv_samr_nt.c
More information about the samba-technical