Explaining the new SAM

Gerald Carter jerry at samba.org
Wed Oct 2 13:11:01 GMT 2002


On Wed, 2 Oct 2002, Andrew Bartlett wrote:

> > This seems like a lot of duplication of code and can lead to
> > "There's a bug in SAM1 but not SAM2".  If the access checks
> > will always be the same, why push them into the SAM module and
> > force each write to cut-n-paste security descriptor code.
> 
> Yes, I am worried about that a bit.  The main issue is that I would like
> a single read from LDAP - so we don't get a race there.  But we could do
> it 'after the fact', and get each module to pass up the security
> descriptor to the SAM interface layer.

Ahhh....ok I see now.  But it still seems like a lot of duplicated 
code.  

Taking another perspective, i'm still not convinced why a security
descriptor on each SAM object is needed.  What do we gain by it
at the cost of added complexity?

> > So a SAM is a passdb with ACL's.  What else?
> 
> Groups and policies thown in, but it's not really meant to be that

By policies you mean "rights" like "backup files" ?

> massive.  One step at a time and such things.  Also a move to NTTIME in
> the interfaces, and an attempt to cope with a wider scope of problems.

What "wider scope of problems"?  Without knowing what you are trying to 
address, it's pretty hard to comment.

> Mostly it's a rework so we could move further forward then passdb could
> reasonably be streached.  It sounds big, but it really isn't...






cheers, jerry
 ---------------------------------------------------------------------
 Hewlett-Packard                                     http://www.hp.com
 SAMBA Team                                       http://www.samba.org
 --                                            http://www.plainjoe.org
 "SAMS Teach Yourself Samba in 24 Hours" 2ed.       ISBN 0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--




More information about the samba-technical mailing list