Schema security descriptors
Andrew Bartlett
abartlet at samba.org
Wed Jun 10 22:53:48 GMT 2009
On Wed, 2009-06-10 at 19:39 +0300, Nadezhda Ivanova wrote:
> Hi Andrew,
> I looked at objectclass.c as you advised. The reason we do not have
> the defaultSecurityDescriptor of dMD as part of the SD of CN=Schema is
> that we need the schema to be able to find the object class definition
> for a new object and get its defaultSecurityDescriptor, and we do
> nothing if the schema is not present (objectclass.c:539-647).
> Obviously, when we are first adding the CN=Schema, we do not have the
> schema :).
That's a good guess, but otherwise we would also not have
objectCategory, right?
> Because of this, and the group/owner problem I do not see how we can
> avoid re-visiting all schema objects during provisioning to midify
> their descriptors, still seems like the only way. I see however how
> this is the place to implement security descriptor inheritance,
> shouldn't be too difficult, we have the algorithms documented in
> MS-ADTS.
Good. I don't think the owner part should be too big a problem. Who in
AD owns new schema objects created by (say) an administrator after
setup?
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090611/e78fd8f3/attachment.bin
More information about the samba-technical
mailing list