LSA Privileges

[tridge at samba.org]

Simo,

> I have not investigated too much further, but if you do not see any
> further name transfer, I presume, that once the name-number pair have
> been transfered to the BDC, than the PDC can send numbers only.

Interesting, that is certainly a possibility. 

One of the reasons this interests me is that I am debating whether to
store the privileges.tdb indexed by name or by number. By name seems
to match the LSA interface, but I'm concerned that it won't match the
SAMR interface well.

I'm also thinking of adding more privileges, beyond that Microsoft
define. For example, we currently have a number of smb.conf settings
that match up quite well with the way privileges work and that we
could define as privileges, allowing much easier per-user and
per-group setting. A good example is 'dos filetimes'. We could have a
'DosFiletimes' privilege that is granted to those who need the
functionality.

This also affects the decision of indexing by name or number. There
are currently 19 privileges that I know of defined by Win2000. If we
add a few for Samba specific privileges, and Microsoft add a few in
future releases of Windows then we could easily end up with more than
32, which would make simple bit masks tricky on machines without a 64
bit integer.

Finally, we will need an admin interface for privileges. The two
possible ways to do this are a local 'net privilege' command that
manipulates directly via pdb, or a remote command like 'net rpc
privilege' that manipulates via MSRPC. The advantage of 'net rpc
privilege' is that it will work against remote servers. The advantage
of a local command is that it will work when smbd is not running. Or
maybe we should have 'net rpc privilege' and a local edit via pdbedit?

Cheers, Tridge