How to use the new group/privilage mapping code.

Jean Francois Micouleau Jean-Francois.Micouleau at dalalu.fr
Sun Jan 27 23:26:01 GMT 2002


On Mon, 28 Jan 2002, Andrew Bartlett wrote:

> I am looking at what would be required to honor the 'add workstation to
> domain' privilege that the new group mapping code generates.
>
> It would seem a fairly simple matter of keeping the privilege map around
> when we do the gid->sid converstion in password.c (for vuid creation).
> Then I assume we just collect them into some kind of structure and
> compare them in the RPC code.
>
> Is this about right?

basically yep.

you can do it the ugly way: keep a copy of the map in the user struct or
whereever that's later accessible in the rpc server code

or you can do it the clean way: redo the NT_USER_TOKEN struct to look more
like on NT and add security descriptors on SAM objects. I have drafted
something already. I'll work on it as soon as I'm done with the wins
replication code.

btw it would be cool if we could extand smbcacls to work with any objects
and not only files.

> (I have a sneaking suspicion that while this would be sufficient to get
> me a workstation account added to the domain, that also setting the
> password on that account might be messy...).

not if you do it cleanly.

	J.F.






More information about the samba-technical mailing list