se_access_checks() on SAMR pipe ?

Gerald (Jerry) Carter jerry at samba.org
Wed Jan 26 16:34:15 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew,

Can you give me some background on how the current
implementation in 3.0 came about?  Right now it looks
incomplete.  And in some ways incompatible with
the privilege model.

For example, currently we give full access to the
BUILTIN\Administrators, BUILTIN\Account Operators,
and (if we are a DC the DOMAIN\Domain Admins).
Everyone gets Execute|Read.

However, _samr_create_user() checks for
SA_RIGHT_DOMAIN_CREATE_USER which means that you have
to be a member of one of the full access groups even
if you have the SeMachineAccountPrivilege or the
SeAddUsersPrivilege.



cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB98aHIR7qMdg1EfYRAq+MAKDxyMxcAuuy0V+qsBbTiX+SIFUn6ACfULbJ
qyrGFdzbEjyROnMnmOiwRbM=
=1DQb
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list