Access control to SAM / _samr_query_sec_obj

Jeremy Allison jra at
Wed Jun 5 11:08:01 GMT 2002

On Wed, Jun 05, 2002 at 07:51:53PM +0200, Kai Krueger wrote:
> This is the first version of the patch to implement access control to SAM.
> It implements checks of the desired access in all open functions (those that create handles)
> against the appropriate default SDs of the previous patch and associates the granted access bits
> with the handle. These granted access bits are then used in the other functions to check if the
> current handle (user) is allowed to run the function. 
> However, I'm not sure if the nt_user_token works correctly, especially if root by default
> belongs to the administrators alias. So to stop the patch braking write access to the sam,
> I've commented out all return nt_status_access_denied. I haven't had the possibility to test
> the nt_user_token, as the attempts to join my win2k workstation to the samba PDC
> always fails :(
> In effect the patch therefore currently doesn't do much except logging but can be used for
> testing. If it works, the changes are then minimal.
> But the patch should at least be enough to see if it is conceptionally acceptable, so any
> comments or improvements are welcome.
> Kai
> --- ./samba-orig/source/rpc_server/srv_samr_nt.c Fri May 31 19:51:43 2002
> +++ ./samba/source/rpc_server/srv_samr_nt.c Wed Jun  5 10:12:39 2002
> @@ -52,9 +52,47 @@
>   /* for use by the \PIPE\samr policy */
>   DOM_SID sid;
>   uint32 status; /* some sort of flag.  best to record it.  comes from opnum 0x39 */
> + uint32 acc_granted;
>   DISP_INFO disp_info;
>  };
> +struct generic_mapping sam_generic_mapping = {
> + 0x20010,
> + 0x2000e,
> + 0x20021,
> + 0xf003f
> +};

Nice patch. I do have one request though. I've (for years)
been removing magic numerical constants from Samba (like
the "0xf003f" in the patch above). We know what these numbers
are in SEC_ACL terms - can you please change the numbers to
a list of #defined constants :

ie. The  0x20010 above should map to :

READ_CONTROL_ACCESS plus a new constant that specifies READ
access to a SAMR, probably something like SAMR_READ_ACCESS
(as it's a specific right).



More information about the samba-technical mailing list