[PATCH] Added "admin_session" method.

Nadezhda Ivanova nadezhda.ivanova at postpath.com
Wed Sep 9 02:36:12 MDT 2009


Take 2 attached.

----- Original Message -----
> From: samba-technical-bounces at lists.samba.org <samba-technical-bounces at lists.samba.org>
> To: abartlet at samba.org <abartlet at samba.org>, Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
> Cc: samba-technical at samba.org <samba-technical at samba.org>
> Sent: Tuesday, September 8, 2009 4:01:49 PM GMT+0200 Europe;Athens
> Subject: Re: [PATCH] Added "admin_session" method.

> > I will take another look. The change in indent could have happened 
> during merge, because when I merged my patch for final testing there 
> were changes in provision.py, there were some ugly onflicts that I had 
> to resolve by hand. I will take another look and re-send only 
> provision.py again. 
> 
> Regards,
> Nadya
> ----- Original Message -----
> > From: Andrew Bartlett <abartlet at samba.org>
> > To: Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
> > Cc: samba-technical at samba.org <samba-technical at samba.org>
> > Sent: Tuesday, September 8, 2009 12:56:22 PM GMT+0200 Europe;Athens
> > Subject: Re: [PATCH] Added "admin_session" method.
> 
> > > On Mon, 2009-09-07 at 16:22 +0300, Nadezhda Ivanova wrote:
> > > Hi Samba team,
> > > As you know, I have been working on implementing AD compatible
> > > security descriptor inheritance in Samba 4. Based on documentation
> > > regarding the default owner and group of an SD and some
> > > experimentation, it appears that in order to get 100% compliance 
> of
> > > the security descriptors in the schema, configuration and domain,
> > > provisioning has to be done by authenticating as Administrator. 
> > Maybe
> > > during plugfest we can establish if we need Administrator or any
> > > member of group Administrators. 
> > 
> > This seems very reasonable.  
> > 
> > > At this point basically we replace the system_session with
> > > admin_session when creating schema, configuration and domain
> > > partitions. It does not affect provisioning in any way and does 
> not
> > > break any test.
> > 
> > Why do you revert to system_session() at all?
> > 
> > That is, I don't like:
> > 
> > > @@ -997,13 +1001,16 @@ def setup_samdb(path, setup_path, 
> > session_info,
> > > credentials, lp,
> > >                  "KRBTGTPASS_B64": b64encode(krbtgtpass),
> > >                  })
> > >  
> > > -            if serverrole == "domain controller":
> > > -                message("Setting up self join")
> > > -                setup_self_join(samdb, names=names,
> > > invocationid=invocationid, 
> > > -                                dnspass=dnspass,  
> > > -                                machinepass=machinepass, 
> > > -                                domainsid=domainsid,
> > > policyguid=policyguid,
> > > -                                setup_path=setup_path,
> > > domainControllerFunctionality=domainControllerFunctionality)
> > > +#return back to system
> > > +        samdb.set_session_info(session_info)
> > > +
> > > +        if serverrole == "domain controller":
> > > +            message("Setting up self join")
> > > +            setup_self_join(samdb, names=names,
> > > invocationid=invocationid,
> > > +                            dnspass=dnspass,
> > > +                            machinepass=machinepass,
> > > +                            domainsid=domainsid,
> > > policyguid=policyguid,
> > > +                            setup_path=setup_path,
> > > domainControllerFunctionality=domainControllerFunctionality)
> > >  
> > 
> > You also seem to change the indentation, which rather matters for
> > python.
> > 
> > Once I understand why you need this last chunk, I will be very happy 
> 
> > to
> > merge this. 
> > 
> > Andrew Bartlett
> > 
> > -- 
> > Andrew Bartlett                                
> > http://samba.org/~abartlet/
> > Authentication Developer, Samba Team           http://samba.org
> > Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Added-admin_session-method.patch
Type: application/octet-stream
Size: 10678 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090909/25109581/attachment.obj>


More information about the samba-technical mailing list