Does NET RPC RIGHTS requires Linux PDC? additionally Samba
3.0.11 and RHEL 4 test
Guenther Deschner
gd at samba.org
Mon Sep 5 22:02:26 GMT 2005
Hi Jerry,
On Mon, Sep 05, 2005 at 07:11:10AM -0500, Gerald (Jerry) Carter wrote:
> Guenther Deschner <gd at samba.org> wrote:
>
> | That would make more sense. Most probably you do not have the
> | "SeDiskOperatorPrivilege" assigned to "Administrator".
> |
> | If you are using "security = ads" please try to switch
> | to "security = domain" to let that privilege take effect.
>
> Guenther, There should be no difference in smbd's code
> that builds the user token for domain or ads mode security.
> Do you known of a bug here that hasn't been reported?
Yes, there is a big difference (I tried to explain to you during CIFS
conf ;) :
When in security = ads, when we reply in reply_spnego_kerberos(), we build
a quite broken NT user token, one that has a local sid with an algorithmic
rid part (instead of using the user's original domain sid). Thus,
privileges never apply when smbd is running as a domain-member in
security=ads.
The best way to fix that (IMHO) is to derive (at least) the user and
primary-group sid directly from the PAC (saving roundtrips). I have
exactly this working (including PAC server-signature verification) for
Heimdal (thanks to the great Samba4 progress) but the abstraction-layer to
make it work with MIT kerberos as well is not yet finished.
You are right, I should open a bug report to track my progress on that.
Cheers,
Guenther
--
Günther Deschner GPG-ID: 8EE11688
Novell / SUSE LINUX gd at suse.de
Samba Team gd at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20050906/908d29e0/attachment.bin
More information about the samba-technical
mailing list