Access control to SAM / _samr_query_sec_obj

Kai Krueger kai at
Sun Jun 2 15:43:04 GMT 2002

----- Original Message ----- 
From: "Tim Potter" <tpot at>  Sent: Saturday, June 01, 2002 8:17 PM

> On Sat, Jun 01, 2002 at 12:17:19AM +0200, Kai Krueger wrote:
> > currently, as far as I can see, the access control to the SAM database is
> > only based upon file access to the db-files. On normal installations
> > therefore only the root user can change, delete or add things instead of the
> > entire administrators group. As this is IMHO rather "unhelpfull", especially
> > if you are trying to administer your samba-server from windows machines, I'm
> > thinking about implementing a more "NT-like" access control to the SAM-db.
> > Is there currently anybody else working in that region?
> I'm thinking more seriously about it, but will probably end up only
> putting hacks in 2.2 instead.  (-:

I've thought about it as well and think that I could implement it and hopefully it would be 
more than "just a hack" but you never know until it's done ;-)
I'm currently working on the head code though. How far do 2.2 and head differ here, 
especially the rpc_server/srv_samr_nt.c file that would IMHO be the main point of change? 

> > I've started off with implementing default Security Descriptors for the
> > global SAM object, the domain object and the alias objects (only SD for user
> > objects were available till now), which are needed in the later to come
> Is there more than one SD for the SAM system?  I thought there was only
> a global one.

Well, what I meant was, that the SAM has a sort of tree hierarchy with a root node at the top (I 
called that global SAM object). The domains (probably always one, or two with the builtin 
domain) as second layer and the users, groups and aliases as third. All of these 5 different 
classes of objects (or nodes if speaking of trees) must have different SDs, as the specific access bits 
differ quite a bit. 

> > se_access_check()s of the open/connect RPCs. These default SDs are based
> > upon the SDs I received from my Win2k pro workstation. I don't have access
> > to a Windows PDC, so I couldn't do it for global domain groups. :(
> How did you display these?  I'm curious now.

I used ACL tools from BindView ( ) but you probably could use a modified version of rpcclient, that 
accepted a SID instead of a name. 

> > However I don't know how to find out if those SIDs represent Users, Groups,
> > or Alliases, so SDs for useres are still always created in this case instead
> > of the correct ones. Does anybody know an easy way to figure out which is
> > correct?
> I think it's impossible to tell the type of a sid without doing a sid to
> name lookup.


Well, it was only needed in _samr_query_sec_obj() and that itself, as far as I can see, is only needed for displaying the SDs to windows clients or rpcclient and wouldn't be used in the actual actual access checks. At least not until fully customizable SDs for all users, groups alliases , ... are implemented and then they would have to be stored and retrieved within the SAM.

> Tim.


More information about the samba-technical mailing list