Fix our privileges code to display privileges with the "high" 32-bit value set.

Andrew Bartlett abartlet at samba.org
Thu Nov 18 17:14:45 MST 2010 

On Thu, 2010-11-18 at 16:07 -0800, Jeremy Allison wrote:
> On Fri, Nov 19, 2010 at 10:57:26AM +1100, Andrew Bartlett wrote:
> > 
> > I can't even see SeSecurityPrivilege in v3-5-test.  Is it defined like
> > all the others, or has someone added it in another patch, with an
> > unexpected LUID value?
> 
> It's added as part of the jumbo ACL patch, and was listed as
> being (0x8, 0x0), which was "high, low", not "low, high", so
> that's how I added it.
> 
> > Ahh, so someone copied in the line literally, without paying attention
> > to the other values in context, and so used the high bits, and not the
> > low bits?
> 
> Yep - pretty much the size of it.
> 
> > That all makes sense, so it has the same definition as 3.6, rather than
> > following the pattern of the rest of the table.  What had me confused
> > was that I was expecting that all privileges would work, or no
> > privileges would work...
> 
> No, everything worked *except for SeSecurity* :-). Which made
> it fun to track down (actually it worked, it just wouldn't
> display).

:-)

> > Wow!  I can see why folks are talking about eliminating the current 3.6 branch and trying again...
> 
> As it's not stored anywhere in any tdb, but just used to
> talk to the client I could always reverse it in the ACL
> jumbo patch for 3.5.x, - which would mean the last patch
> wasn't needed. But still I don't like explicitly forcing
> high == 0 when that's not listed in any protocol docs
> that I know.

In theory, the LUID value is defined only by the server, and the client
should do a lookup by string first.  This doesn't always happen, but all
the known values have high==0. 

In the master code, we don't have what really caused the problem, which
is a check for high==0, but a table that allows a non-zero value to be
set.  The new code simply operates on 'low' only. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101119/d46736c7/attachment.pgp>

More information about the samba-technical mailing list