Access control to SAM / _samr_query_sec_obj

Andrew Bartlett abartlet at
Fri Jun 7 04:47:01 GMT 2002

Kai Krueger wrote:
> ----- Original Message -----
> From: "Andrew Bartlett" <abartlet at>
> Sent: Thursday, June 06, 2002 1:01 PM
> > > As the SDs contained numerical constants as well, that part is included as well, so it is a patch
> > > against a fresh samba HEAD cvs from 31.5.02
> >
> > Firstly, can you update for current CVS?  (I suspect there will be
> > conficts, I made some changes for better NTSTATUS returns recently).
> Yup, I can try and update it to current CVS, as long as that doesn't change to often ;-)
> I'll hopefully be able to do it soon. Should I send the next version of the patch via list again,
> or are there concerns about too many "big" mails?

I'm not too fussed.  Netscape doesn't really like it in the reply pane,
but thats just my problem.  Breaking the patch down often helps.  I
wonder if you would be able to abstract some of the repeditive code (you
have code duplicated right down the file, doing the same thing to
different functions) into a helper function.

> > Secondly, I have some further style nit-picks:
> >  - We can't use \\ as a comment in Samba, as many C compilers don't
> > understand it.
> That shouldn't be a problem to change.
> >  - Please use 8-space tabs.  Samba mainly uses the 'linux' coding style
> > - which you can
> >    set in emacs.  Also make 'if(' -> 'if ('.
> Neither should that. If I find any 'if(' that were there before, should I change them as well?

I won't object :-)

> > On the patch itself, it looks pretty good.  In the longer term, I plan
> > to move the access contols into the passdb - they will take an extra
> > paramater of 'access_granted'.  This will allow us to have a consistant
> > policy across all access methods (SAMR, RAP, etc) as well as removing
> > the really weird way the passdb requires become_root() stuff atm.
> Is that supposed to be a addition or a replacement to the checks done in this patch?

Just letting you know where we are heading.  The current patch is the
correct solution for the current situation.  It allows for the next work
to be done easiliy, and I thank you for that.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list