Rework SAMR code, and remove rpc_parse dependency on passdb

Kai Krueger kai at
Tue Jun 25 16:42:03 GMT 2002

From: "Andrew Bartlett" <abartlet at> Sent: Tuesday, June 25, 2002 4:33 PM

> I've been doing some cleanup work recently - and I've particulary been
> attacking the complex web of samba dependencies.
> This patch does two things:  It reworks some SAMR code, in a way that
> avoids the need for *two* sepeate 'enumuerate a list of domain users'
> functions, and 
> that adds some SID checkings.
> Now the sid checking is currently incorrect - I'm still chasing down the
> finer details of 'policy handles', but I just wanted to put this patch
> out for an eyeball.
> What do people think - are there other problems with what I'm doing?
> And can anybody explain to me how policy handles work?

Each time a client opens a SAM-object (i.e. domain, user ...) the
serversided open function creates a new handle that is a link to some server
stored data. Usually this data is about the object that is being open (e.g. SID,
access rights ...) but can basically be anything. The handle is returned to the
client which passes it back to the server in the next functions on that SAM-object.
The server uses this handle to lookup the originally stored date and identify the

>  In particular I
> want to find the policy for the domain that this user was opened on - so
> I can check the domain sid during the reply.  (Yes, I could assume the
> passdb is sane, and gives back correct sids, but I want the extra check
> before I strip the rid from the sid).

It is possible to store the domain policy handle in the user policy, so that you
can get the domain policy on which the user was opened if you have the user
policy. I'm not sure if that is a good idea though, because the domain policy
might already be closed even though the user policy is still open. The information
you need about the user should rather be stored with the user policy.
Look at the samr_info struct to see what is currently stored with the policy.
This includes the SID, so it is easy to split off the domain sid from the user SID.

It would be good, if all those q_u->pol could be renamed to identify on what
type of sam-object each of the policies where opened. i.e. q_u->domain_pol,
q_u->user_pol, q_u->group_pol and so on. I think that would clarify some of
the policy stuff.

>+ if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
>+ if (!get_lsa_policy_samr_sid(p, &q_u->pol, &domain_sid))

Why do you need both find_policy_by_hnd() and get_lsa_policy_samr_sid()?
The second calls the first, so you should only need one of them.

I haven't looked at the changes very close yet, but wouldn't a lot of this
need to be changed again after the samdb rework we are planning on IRC?
Wouldn't it be more sensible to do this stuff after or while the reworking?

> Andrew Bartlett


More information about the samba-technical mailing list