support for privileges in Samba 3.0

Simo Sorce idra at samba.org
Thu Jan 13 08:55:12 GMT 2005 

On Wed, 2005-01-12 at 16:46 -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Simo,
> 
> I have gone back and reworked the privileges code (twice)
> for inclusion in 3.0.11.  After the second rewrite some
> things that you did make more sense now.

I'm glad to hear that Jerry, I'm delighted.

> One minor change I've made is to remove all of the unused
> privileges.  The only ones I'm planning on using initially
> is to add machines to the domain, add users and groups to the
> domain, and print admin rights.

Good move, I like it, that way people is not fooled into thinking we
support more features then are actually implemented, e can always add
them back when needed.

> The major change was to remove the privilege storage from the
> passdb API.  Storing privilege sets in LDAP didn't gain us
> alot other than not having to implement our own replication
> protocol.    I'm planning on implementing enough of the SAM
> replication protocol to get Samba -> Samba replication
> working for account policies and privileges.  I think I can
> have the done and working by Linuxworld next month.

Well, I've done that mostly because NT4 domains have the privileges set
replicated on each DC, but to be honest I see that as a limitation.
Being able to set different privileges on each DC is a plus imho, so I
welcome the removal of automatic replication, and I would suggest to
make the replication of privileges optional, they are just a local thing
made global by mistake in NT4 SAM engineering.

> Thanks for your work on this and my apologies for putting it
> off the backport so long.

Thank you for putting it into.

> PS: apparently User Manager running on 2k has some issues
> with setting account rights.  I get the same failures against
> an NT4 PDC.

I will work again on usrmgr.exe as I see the patch in. Unfortunately it
presumes some of the groups (perhaps even some privilege) to be always
present, so be sure you correctly mapped your domain groups to see it
working correctly.

Simo.

-- 
Simo Sorce    -  idra at samba.org
Samba Team    -  http://www.samba.org
Italian Site  -  http://samba.xsec.it

More information about the samba-technical mailing list