Access control to SAM / _samr_query_sec_obj

Andrew Bartlett abartlet at
Thu Jun 6 04:06:02 GMT 2002

Kai Krueger wrote:
> ----- Original Message -----
> From: "Jeremy Allison" <jra at> Sent: Wednesday, June 05, 2002 8:07 PM
> Subject: Re: Access control to SAM / _samr_query_sec_obj
> > Nice patch. I do have one request though. I've (for years)
> > been removing magic numerical constants from Samba (like
> > the "0xf003f" in the patch above). We know what these numbers
> > are in SEC_ACL terms - can you please change the numbers to
> > a list of #defined constants :
> >
> > ie. The  0x20010 above should map to :
> >
> > READ_CONTROL_ACCESS plus a new constant that specifies READ
> > access to a SAMR, probably something like SAMR_READ_ACCESS
> > (as it's a specific right).
> >
> > Thanks,
> >
> > Jeremy.
> >
> Ok, I've removed all the numerical constants and have added them as #defines in rpc_samr.h.
> The names are partly based upon information I got from ACL tools.
> As the SDs contained numerical constants as well, that part is included as well, so it is a patch
> against a fresh samba HEAD cvs from 31.5.02

Firstly, can you update for current CVS?  (I suspect there will be
conficts, I made some changes for better NTSTATUS returns recently).

Secondly, I have some further style nit-picks:
 - We can't use \\ as a comment in Samba, as many C compilers don't
understand it.

 - Please use 8-space tabs.  Samba mainly uses the 'linux' coding style
- which you can
   set in emacs.  Also make 'if(' -> 'if ('.

On the patch itself, it looks pretty good.  In the longer term, I plan
to move the access contols into the passdb - they will take an extra
paramater of 'access_granted'.  This will allow us to have a consistant
policy across all access methods (SAMR, RAP, etc) as well as removing
the really weird way the passdb requires become_root() stuff atm.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list