svn commit: samba r5180 - branches/SAMBA_3_0/source/rpc_server trunk/source/rpc_server

Gerald (Jerry) Carter jerry at samba.org
Thu Feb 3 03:50:13 GMT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 2 Feb 2005, Guenther Deschner wrote:

> Hi Andrew,
> 
> On Thu, Feb 03, 2005 at 07:43:07AM +1100, Andrew Bartlett wrote:
> > > Log:
> > > Call the "add machine script" to create all kinds of trust accounts
> > > (this restores old behaviour). Fixes #2291.
> > 
> > I agree on the scripts part, but I'm not sure you should be using:
> > 
> >  se_priv_copy( &se_rights, &se_machine_account );
> > 
> > The point here is to ensure that users with 'add machines to the domain'
> > can only add workstations, not BDCs and Domains.  I may be off-base
> > here, but I think we just need two 'ifs'.  The script to call and the
> > rights to use are different.
> 
> Yes, sure. This is what I already asked Jerry in the bugreport.
> 
> Another point: We are probably no longer able to create 
> interdomain-trusts in the correct location from usrmgr. Testing that 
> now.

Thanks for the fix Guenther.  Apparently I was trying to work on too many 
bugs concurrently yo make sense of this one.  

I think you are both correct in that the add.*script test and 
determining which rights to test should be separate conditions.
So the question is what rights make sense to create domain trusts ?
I'm inclined towards Domain Admins membership.  I can fix this up
pretty quickly once we decide what is the corrcet behavior.

One more thing, maybe i've just forgotten but what exactly is the 
different between thw workstation trust and server trusts types ?






cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc 
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFCAZ91IR7qMdg1EfYRAnTxAKCcWsdKH1eyUc99xNjr0fU26cHquQCgzo6P
ZF0xDBTG1ZBUXv6aj8Jab+M=
=mirR
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list