Registry ACLs and credentials

Andrew Bartlett abartlet at
Mon Dec 12 05:23:36 GMT 2005

I've been working on a secure, remote LDAP backend for Samba4, which has
required some re-engineering work.  This showed up all the callers to
ldb_wrap_connect(), and this naturally includes the Samba4 registry.

Currently we entirely ignore the issue, but with the main LDB acls work
ongoing, I wondered how we intended to handle this?

I was hoping we might be able to re-use the same module in both cases,
which raises my real question:  Can someone who understands the registry
layer please plumb the session_info and credentials information from the
callers into the registry?  (The current layering makes my head spin a

This should also allow a forwarded registry (with krb5 forwarded
tickets), authentication on a remote ldb backed and other neat things.

In ldb we will shortly pass down:
 - the session_info, which is typically the system token in ldbedit or
the user's own token in smbd.
 - a separate set of credentials, to override the above, so that ldbedit
will use command line parameters.

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list