s4 password changes

Nadezhda Ivanova nivanova at samba.org
Tue Aug 17 06:35:23 MDT 2010 

Hi Andrew,
Using a control in the was one of my initial proposals, it gives us finer
control to what to access when, but it was more complicated. Anyway, this
patch will not remain as it is now, given metze's suggestion. Also, we don't
actually have problems with modification. The problems occur when we need to
access some data, such as the current fsmoRoleOwner, in order to perform
some operation, and the current user does not have rights to access it. I
will do a bit more research and propose alternative implementation of this,
and give you more background on where we need to apply the access checks and
where we need to skip them. Using system session was simply the fastest and
simplest way, not necessarily the best, I was just looking for a way to get
the anonymous stuff working faster. It will just have to wait until I
resolve the SAMR (and other rpc) issues in an acceptable way.

Regards,
Nadya

On Tue, Aug 17, 2010 at 3:22 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Tue, 2010-08-17 at 08:19 +0200, Stefan (metze) Metzmacher wrote:
> > Hi Nadya,
> >
> > > Here is the wip branch:
> > >
> http://gitweb.samba.org/?p=nivanova/samba.git;a=shortlog;h=refs/heads/aclsearch
> > >
> > > I started by denying access to anonymous depending on dSHeuristics. The
> > > tests that I wrote to ensure this is correct are passing, but a lot of
> other
> > > things broke, such as samr tests, lsa, secure channel, ldb tests,
> because
> > > they were no longer able to read necessary data from the database. I
> will
> > > send more details later.
> >
> > I have some comments regarding:
> > s4-samr: Adapted SAMR calls to use system session, with access check for
> > administrator
> >
> > Please implement the SAMR access checks correct, by having an
> > allowed_access mask
> > on the policy handles, and then only check for the needed access bits in
> > each operation.
> >
> > For now I'm fine if we give admins full access and others only read
> access,
> > but that should be decided at the time we create a policy handle and not
> > on each
> > operation.
>
> BTW, where we decide in SAMR that we will permit some operation that the
> acl module would deny, I would prefer we simply add a control (like the
> as-system control that I so despise) to indicate that the security
> checks have been performed.  I would however prefer that the 'correct'
> user still does the change, so we can implement an audit trail etc in
> future.
>
> Hopefully the overrides will be limited, and most of the rest of SAMR
> can be checked in the same way as currently happens, but I don't know
> enough about this topic to comment well.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/<http://samba.org/%7Eabartlet/>
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.
>

More information about the samba-technical mailing list