LSA Privileges

tridge at tridge at
Sat Feb 8 04:20:23 GMT 2003


I'm CCing this to samba-technical as others may be interested in the
answer. I hope you don't mind.

First off, MSDN has quite a lot of info on privileges. You should read
up on the LSA privileges calls there.

I will soon be ripping the privileges code out of the group mapping
code, as it just doesn't belong there. Instead I will create a
separate privileges.tdb and make this go via pdb so it can be remoted
via LDAP.

The main things to understand about privileges are:

- logically each privilege is a string name and a set of SIDs
  associated with that string name. 

- The SIDs do not have to be group SIDs (they can, for example, be

- The names do not have to have fixed numbers associated with them
  (although I will probably associate fixed bitmasks with each name
  for programming convenience).

- when we create a NT token we need to query the privileges db and ask
  it 'what union of privileges are associated with this list of
  SIDs'. That then defines the privileges for a security context.

- privileges act a bit like setuid bits on executables in Unix. If you
  have a privilege then you get to do the associated operation whether
  or not the ACL on that object allows it.

- If you don't have the required privilege then the ACL is checked.

If you wish to play with privileges then you may wish to use the 
rpcclient commands 'lsaenumacctrights', 'lsaaddacctrights' and
'lsaremoveacctrights' that have been recently added to the HEAD
branch. They should allow you to experiment easily.

One thing I don't understand yet is how the numbers used during a SAMR
replication of the privileges database are derived from the string
names used in LSA.

Cheers, Tridge

> Hi, Andrew!
> Currently I'm looking at getting the group mapping into LDAP. JF has
> put privileges into the group mapping database. I'm not sure whether
> they really belong there. But on the other hand, I don't really
> understand what is going on with privileges (what the heck is a
> systemaccount?)
> Do you have any reference from where you can read about privileges?
> Volker

More information about the samba-technical mailing list