Access control to SAM / _samr_query_sec_obj
Tim Potter
tpot at samba.org
Fri May 31 15:20:03 GMT 2002
On Sat, Jun 01, 2002 at 12:17:19AM +0200, Kai Krueger wrote:
> currently, as far as I can see, the access control to the SAM database is
> only based upon file access to the db-files. On normal installations
> therefore only the root user can change, delete or add things instead of the
> entire administrators group. As this is IMHO rather "unhelpfull", especially
> if you are trying to administer your samba-server from windows machines, I'm
> thinking about implementing a more "NT-like" access control to the SAM-db.
> Is there currently anybody else working in that region?
I'm thinking more seriously about it, but will probably end up only
putting hacks in 2.2 instead. (-:
> I've started off with implementing default Security Descriptors for the
> global SAM object, the domain object and the alias objects (only SD for user
> objects were available till now), which are needed in the later to come
Is there more than one SD for the SAM system? I thought there was only
a global one.
> se_access_check()s of the open/connect RPCs. These default SDs are based
> upon the SDs I received from my Win2k pro workstation. I don't have access
> to a Windows PDC, so I couldn't do it for global domain groups. :(
How did you display these? I'm curious now.
> However I don't know how to find out if those SIDs represent Users, Groups,
> or Alliases, so SDs for useres are still always created in this case instead
> of the correct ones. Does anybody know an easy way to figure out which is
> correct?
I think it's impossible to tell the type of a sid without doing a sid to
name lookup.
Tim.
More information about the samba-technical
mailing list