Smb multi-sessions, samba3.0.2pre1
Simo Sorce
simo.sorce at xsec.it
Wed Jan 21 12:05:29 GMT 2004
On Wed, 2004-01-21 at 12:04, Jianliang Lu wrote:
> > On Wed, 2004-01-21 at 01:54, Jianliang Lu wrote:
> >
> > Using 'admin users' to get around the 'ldap as not root' issue is the
> > wrong fix. The real thing we need to do is properly implement the
> > required ACLs etc, so that we don't need such ugly hacks.
> >
> > Andrew Bartlett
> >
>
> The problem is that the smbldap-tools need the uid=0 to run. When I use
> usrmgr to create a new user I'll get a access denied in run "add user
> script"(smbldap-useradd.pl) if the user has not uid=0. If we deal with "add
> scripts" using uid=0 may overcome this problem (only for ldap backend).
> Another problem is for nested group. If a user would have privileges to
> manager users (like create new user) it must be a member of builtin
> group "Administrators" or "Account operators", but I don't know if a
> globalgroup (like "Domain Admins") could be a member of such group to have
> these privileges.
>
> My question is: how can we do to have the users which have uid not 0 and have
> the privileges to manage the user account using "User Manager for Domain"?
OK, the right way would be to finally implement the privileges system.
JFM already added a preliminary support to the group mapping code, but
we removed it from 3.0 as it was not used anywhere and was easier to
stabilize our code without that piece.
Anyway the group mapping code is not the right place, the privileges
should be defined and assigned per SID in it's own hive on the SAM (it
is replicated beetwen DCs).
The hackish way is to define a global parametr an put hacks in the
places where we need admin functionality so that we can make a
become_root call around the code to be run as root.
The first is a bigger job, but better.
The latter is much easier but a bad hack, prone to errors, and will put
strings into maintaining it for future releases.
I'm not sure I would say OK to a patch that implements the second
method.
Simo.
--
Simo Sorce - simo.sorce at xsec.it
Xsec s.r.l. - http://www.xsec.it
via Garofalo, 39 - 20133 - Milano
mobile: +39 329 328 7702
tel. +39 02 2953 4143 - fax: +39 02 700 442 399
More information about the samba-technical
mailing list