[PATCH] Added "admin_session" method.

Andrew Bartlett abartlet at samba.org
Tue Sep 8 03:57:36 MDT 2009 

On Mon, 2009-09-07 at 16:22 +0300, Nadezhda Ivanova wrote:
> Hi Samba team,
> As you know, I have been working on implementing AD compatible
> security descriptor inheritance in Samba 4. Based on documentation
> regarding the default owner and group of an SD and some
> experimentation, it appears that in order to get 100% compliance of
> the security descriptors in the schema, configuration and domain,
> provisioning has to be done by authenticating as Administrator. Maybe
> during plugfest we can establish if we need Administrator or any
> member of group Administrators. 

This seems very reasonable.  

> At this point basically we replace the system_session with
> admin_session when creating schema, configuration and domain
> partitions. It does not affect provisioning in any way and does not
> break any test.

Why do you revert to system_session() at all?

That is, I don't like:

> @@ -997,13 +1001,16 @@ def setup_samdb(path, setup_path, session_info,
> credentials, lp,
>                  "KRBTGTPASS_B64": b64encode(krbtgtpass),
>                  })
>  
> -            if serverrole == "domain controller":
> -                message("Setting up self join")
> -                setup_self_join(samdb, names=names,
> invocationid=invocationid, 
> -                                dnspass=dnspass,  
> -                                machinepass=machinepass, 
> -                                domainsid=domainsid,
> policyguid=policyguid,
> -                                setup_path=setup_path,
> domainControllerFunctionality=domainControllerFunctionality)
> +#return back to system
> +        samdb.set_session_info(session_info)
> +
> +        if serverrole == "domain controller":
> +            message("Setting up self join")
> +            setup_self_join(samdb, names=names,
> invocationid=invocationid,
> +                            dnspass=dnspass,
> +                            machinepass=machinepass,
> +                            domainsid=domainsid,
> policyguid=policyguid,
> +                            setup_path=setup_path,
> domainControllerFunctionality=domainControllerFunctionality)
>  

You also seem to change the indentation, which rather matters for
python.

Once I understand why you need this last chunk, I will be very happy to
merge this. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090908/fc43d1d6/attachment.pgp>

More information about the samba-technical mailing list