[PATCH] Add special users to Samba4 (bugzilla #4918)

Andrew Kroeger andrew at sprocks.gotdns.com
Fri Aug 24 03:31:02 GMT 2007 

First:  I have been playing with Samba 4 for a number of months and I
love what all of you have accomplished to date.  Great Job!

As part of my trying to learn more about the internals, I started making
some comparisons between Win2K3 and Samba 4 as PDCs.  I wanted to find
something that I could get a grasp on from the user perspective and then
delve into the code to solve the issue.

What I found was that there are some Builtins listed in the ADUC MMC on
the Win2K3 PDC that weren't present on the Samba 4 PDC.  Additionally,
most (if not all) of what I would call "pseudo users" ("Creator Owner",
"Everybody", etc.) were not present under Samba 4 when attempting to
alter file/directory security permissions.

After putting something together that appears to get the job done I saw
bug #4918 posted by Matthias this afternoon.  After seeing that, I
decided it was time to clean up what I had and toss it over the fence to
get some feedback.  I know there are probably some issues with coding
practices/style and I also have some more testing that I need to do, but
I wanted to get some feedback sooner rather than later to make sure I'm
not going in the wrong direction.

I have attached 3 patch files:

- samldb-typo.patch: Corrects a typo I found in one of the error
messages while I was writing my code.  I am submitting as a completely
separate patch so it can be applied on its own.  This patch does not
depend on any others.

- aduc-builtin-users.patch: Adds the following additional groups under
the ADUC Builtin category:
  - Pre-Windows 2000 Compatible Access
  - Incoming Forest Trust Builders
  - Windows Authorization Access Group
  - Terminal Server License Servers
  - Distributed COM Users
This patch does not depend on any others.

- special-users.patch: Adds the following "pseudo users" that appear
when setting security attributes on files/directories:
  - Anonymous Logon
  - Authenticated Users
  - Batch
  - Creator Group
  - Creator Owner
  - Dialup
  - Digest Authentication
  - Enterprise Domain Controllers
  - Everyone
  - Interactive
  - Local Service
  - Network
  - Network Service
  - NTLM Authentication
  - Other Organization
  - Proxy
  - Remote Interactive Logon
  - Restricted
  - SChannel Authentication
  - Self
  - Service
  - Terminal Server User
  - This Organization
  - Well-Known-Security-Id-System
This patch also adds the container at CN=WellKnown Security
Principals,CN=Configuration,DC=... to hold the "pseudo users".  This
patch doesn't depend on the aduc-builtin-users.patch, but it will
generate some fuzz when applying for provision_users.ldif if
aduc-builtin-users.patch has not been applied.

This last patch is the one that I anticipate the most feedback on.
Given the special handling of the foreignSecurityPrincipal objectClass
that appears to be special-cased for CN=ForeignSecurityPrincipals, I
needed to add another special case for CN=WellKnows Security Principals.
 There may be a more general way to handle this, but I couldn't find any
existing code that looked like it would help.(ldb_dn_canonical_string

I also anticipate there may be issues with the following:
- The use of ldb_dn_canonical_string() to get the DN to differentiate
this special case from the other handling of foreignSecurityPrincipal.
- The use of strstr() to look for a given substring in the DN.
- My code makes a case-sensitive comparision, but I don't know if the
DNs are case-sensitive.
- The samldb_fill_wellKnown_foreignSecurityPrincipal_object() function I
created copies the input ldb_message and then calls
samdb_copy_template().  I don't know if any of that is necessary, as I
don't yet fully understand what they do :)  I do know that my code fails
if msg2 is not set, so evidently what I am trying to do depends on the
additional processing code that happens later in samdb_add() after the
check for msg2 == NULL.

I welcome any and all feedback regarding what I have put together.

Thanks,

Andrew Kroeger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aduc-builtin-users.patch
Type: text/x-patch
Size: 2597 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20070823/97f01330/aduc-builtin-users.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samldb-typo.patch
Type: text/x-patch
Size: 603 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20070823/97f01330/samldb-typo.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: special-users.patch
Type: text/x-patch
Size: 9027 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20070823/97f01330/special-users.bin

More information about the samba-technical mailing list