LSA Privileges

[Simo Sorce]

On Sun, 2003-02-09 at 02:26, tridge at samba.org wrote:
> Simo,
> 
> > I have not investigated too much further, but if you do not see any
> > further name transfer, I presume, that once the name-number pair have
> > been transfered to the BDC, than the PDC can send numbers only.
> 
> Interesting, that is certainly a possibility. 
> 
> One of the reasons this interests me is that I am debating whether to
> store the privileges.tdb indexed by name or by number. By name seems
> to match the LSA interface, but I'm concerned that it won't match the
> SAMR interface well.

yes, and woudl be painfully slow to check a string every time.
my solution was to do an internal mapping for samba, but I'm not sure a
bitmask is the best way to do it, I think that a list of uint32 is
acceptable, so that we can really define 2^32 privileges.

> I'm also thinking of adding more privileges, beyond that Microsoft
> define. For example, we currently have a number of smb.conf settings
> that match up quite well with the way privileges work and that we
> could define as privileges, allowing much easier per-user and
> per-group setting. A good example is 'dos filetimes'. We could have a
> 'DosFiletimes' privilege that is granted to those who need the
> functionality.
> 
> This also affects the decision of indexing by name or number. There
> are currently 19 privileges that I know of defined by Win2000. If we
> add a few for Samba specific privileges, and Microsoft add a few in
> future releases of Windows then we could easily end up with more than
> 32, which would make simple bit masks tricky on machines without a 64
> bit integer.

Yes, that what I , and before me Jean Francois, tought about that.

Furthermore I think the while it is certainly a possibility that MS
programmers made the transfer by string as a mistake, in realty I think
it has been on purpose, so that they could add new priveleges easily if
needed. I think our best bet could be to keep the string-number pair we
receive from a PDC intact and associate to this pair a second number
internal to samba. An interface that is able to map samba internal
privilege number to windows string-number pair one should be provided so
that if we discover new privilege names besides the ones we already know
we can easily map them to a samba own privilege if needed (or map a
known unused one to a samba one so that admins can manipulate it easily
through windows interfaces).

> Finally, we will need an admin interface for privileges. The two
> possible ways to do this are a local 'net privilege' command that
> manipulates directly via pdb, or a remote command like 'net rpc
> privilege' that manipulates via MSRPC. The advantage of 'net rpc
> privilege' is that it will work against remote servers. The advantage
> of a local command is that it will work when smbd is not running. Or
> maybe we should have 'net rpc privilege' and a local edit via pdbedit?

Yes, it seem the best solution.


Simo.

-- 
Simo Sorce - simo.sorce at xsec.it
Xsec s.r.l.
via Durando 10 Ed. G - 20158 - Milano
tel. +39 02 2399 7130 - fax: +39 02 700 442 399
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030209/0a49924c/attachment.bin