s4 password changes

Andrew Bartlett abartlet at samba.org
Tue Aug 17 06:22:07 MDT 2010 

On Tue, 2010-08-17 at 08:19 +0200, Stefan (metze) Metzmacher wrote:
> Hi Nadya,
> 
> > Here is the wip branch:
> > http://gitweb.samba.org/?p=nivanova/samba.git;a=shortlog;h=refs/heads/aclsearch
> > 
> > I started by denying access to anonymous depending on dSHeuristics. The
> > tests that I wrote to ensure this is correct are passing, but a lot of other
> > things broke, such as samr tests, lsa, secure channel, ldb tests, because
> > they were no longer able to read necessary data from the database. I will
> > send more details later.
> 
> I have some comments regarding:
> s4-samr: Adapted SAMR calls to use system session, with access check for
> administrator
> 
> Please implement the SAMR access checks correct, by having an
> allowed_access mask
> on the policy handles, and then only check for the needed access bits in
> each operation.
> 
> For now I'm fine if we give admins full access and others only read access,
> but that should be decided at the time we create a policy handle and not
> on each
> operation.

BTW, where we decide in SAMR that we will permit some operation that the
acl module would deny, I would prefer we simply add a control (like the
as-system control that I so despise) to indicate that the security
checks have been performed.  I would however prefer that the 'correct'
user still does the change, so we can implement an audit trail etc in
future.

Hopefully the overrides will be limited, and most of the rest of SAMR
can be checked in the same way as currently happens, but I don't know
enough about this topic to comment well. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100817/36c3624d/attachment.pgp>

More information about the samba-technical mailing list