Access control to SAM / _samr_query_sec_obj

Tim Potter tpot at
Fri May 31 15:20:03 GMT 2002

On Sat, Jun 01, 2002 at 12:17:19AM +0200, Kai Krueger wrote:

> currently, as far as I can see, the access control to the SAM database is
> only based upon file access to the db-files. On normal installations
> therefore only the root user can change, delete or add things instead of the
> entire administrators group. As this is IMHO rather "unhelpfull", especially
> if you are trying to administer your samba-server from windows machines, I'm
> thinking about implementing a more "NT-like" access control to the SAM-db.
> Is there currently anybody else working in that region?

I'm thinking more seriously about it, but will probably end up only
putting hacks in 2.2 instead.  (-:

> I've started off with implementing default Security Descriptors for the
> global SAM object, the domain object and the alias objects (only SD for user
> objects were available till now), which are needed in the later to come

Is there more than one SD for the SAM system?  I thought there was only
a global one.

> se_access_check()s of the open/connect RPCs. These default SDs are based
> upon the SDs I received from my Win2k pro workstation. I don't have access
> to a Windows PDC, so I couldn't do it for global domain groups. :(

How did you display these?  I'm curious now.

> However I don't know how to find out if those SIDs represent Users, Groups,
> or Alliases, so SDs for useres are still always created in this case instead
> of the correct ones. Does anybody know an easy way to figure out which is
> correct?

I think it's impossible to tell the type of a sid without doing a sid to
name lookup.


More information about the samba-technical mailing list