support for privileges in Samba 3.0

Gerald (Jerry) Carter jerry at samba.org
Wed Jan 12 22:46:19 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simo,

I have gone back and reworked the privileges code (twice)
for inclusion in 3.0.11.  After the second rewrite some
things that you did make more sense now.

One minor change I've made is to remove all of the unused
privileges.  The only ones I'm planning on using initially
is to add machines to the domain, add users and groups to the
domain, and print admin rights.

The major change was to remove the privilege storage from the
passdb API.  Storing privilege sets in LDAP didn't gain us
alot other than not having to implement our own replication
protocol.    I'm planning on implementing enough of the SAM
replication protocol to get Samba -> Samba replication
working for account policies and privileges.  I think I can
have the done and working by Linuxworld next month.

I'm going to check this in before week's end (just have to
increase the number of bits I use for the privilege mask)
and incorporate the privilege set with the NT_USER_TOKEN
at logon time for the appropriate access checks.

Oh and fix a couple of the LSA calls where the return values are
hard-coded.

Thanks for your work on this and my apologies for putting it
off the backport so long.

PS: apparently User Manager running on 2k has some issues
with setting account rights.  I get the same failures against
an NT4 PDC.


cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB5ai7IR7qMdg1EfYRAldwAKCmtZqGcuHmmAPXoFIDZrY8HT+/tQCgg7bf
PdY38Y3Q/4WBvIGR9viiaXE=
=Wl5f
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list