se_access_checks() on SAMR pipe ?

Gerald (Jerry) Carter jerry at
Fri Jan 28 20:36:09 GMT 2005

Hash: SHA1

Andrew Bartlett wrote:

| So, my understanding is that privileges should trump
| access control checks, and I would have expected that
| they would translate into extra bits on the permitted access
| on the handle, then checked in the subsequent operations.
| We shouldn't have ACL or privilege evaluation on the
| set info calls, just mask comparison.

ok.  That makes senses and is pretty much what we do
on the spoolss handles.  Interesting.... Ah...of course.
That makes perfect sense!  Thanks so much.  Don't know
why I didn't realize it before.

I've added what I think is similar to this idea in
access_check_samr_object().  The real key is to get
the access_check_samr_function() checks correct.
Brilliant!  I know exactly what to do now.

| Well, that's my memory of how we thought it should
| have worked, but I'll have to write a torture test for
| Samba4 to really figure it what we should have done
| (which should help inform Samba4 when we come to this
| bridge).

This was a big help.  It's basically just a reimplementation
of what we did on printer handles.

cheers, jerry
Alleviating the pain of Windows(tm)      -------
GnuPG Key                -----
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


More information about the samba-technical mailing list