Access control to SAM / _samr_query_sec_obj

Tim Potter tpot at
Sun Jun 2 16:32:02 GMT 2002

On Mon, Jun 03, 2002 at 01:40:02AM +0200, Kai Krueger wrote:

> > On Sat, Jun 01, 2002 at 12:17:19AM +0200, Kai Krueger wrote:
> > 
> > > currently, as far as I can see, the access control to the SAM database is
> > > only based upon file access to the db-files. On normal installations
> > > therefore only the root user can change, delete or add things instead of the
> > > entire administrators group. As this is IMHO rather "unhelpfull", especially
> > > if you are trying to administer your samba-server from windows machines, I'm
> > > thinking about implementing a more "NT-like" access control to the SAM-db.
> > > Is there currently anybody else working in that region?
> > 
> > I'm thinking more seriously about it, but will probably end up only
> > putting hacks in 2.2 instead.  (-:
> I've thought about it as well and think that I could implement it and hopefully it would be 
> more than "just a hack" but you never know until it's done ;-)
> I'm currently working on the head code though. How far do 2.2 and head differ here, 
> especially the rpc_server/srv_samr_nt.c file that would IMHO be the main point of change? 

The point is that 2.2 is unlikely to change by very much or have any
significantly new functionality to it.  If you are going to add SD's to
rpc pipes then it may have to be done in a way that minimises the impact
on other pieces of code rather than the Right Way which may involve
rewriting some unrelated code.

> > > I've started off with implementing default Security Descriptors for the
> > > global SAM object, the domain object and the alias objects (only SD for user
> > > objects were available till now), which are needed in the later to come
> > 
> > Is there more than one SD for the SAM system?  I thought there was only
> > a global one.
> Well, what I meant was, that the SAM has a sort of tree hierarchy with a root node at the top (I 
> called that global SAM object). The domains (probably always one, or two with the builtin 
> domain) as second layer and the users, groups and aliases as third. All of these 5 different 
> classes of objects (or nodes if speaking of trees) must have different SDs, as the specific access bits 
> differ quite a bit. 

I discovered the other day that the two domains have their own SDs but I
didn't think users, groups and aliases did.

> > > se_access_check()s of the open/connect RPCs. These default SDs are based
> > > upon the SDs I received from my Win2k pro workstation. I don't have access
> > > to a Windows PDC, so I couldn't do it for global domain groups. :(
> > 
> > How did you display these?  I'm curious now.
> I used ACL tools from BindView ( ) but you probably could use a modified version of rpcclient, that 
> accepted a SID instead of a name. 

OK - that's what I have as well.  I might do some more experimentation
with it then.


More information about the samba-technical mailing list