SYSTEM vs RELAX in lsa

Matthias Dieter Wallnöfer mdw at
Thu Nov 25 01:40:25 MST 2010

Hi tridge,

the best explaination you will find in my dochelp request which was also 
logged on "cifs-protocol". Basically we have to deny modifications of 
trusted domain and secret objects over LDAP.

Now I've seen about the possibility of untrusted connections. I'm 
working on a patch which uses this one - should be much safer, or?


tridge at wrote:
> Hi Matthias,
> Can you explain 1352a9406f3e3067a8e751ac157eab67796bc0c6 a bit more?
>   >  commit 1352a9406f3e3067a8e751ac157eab67796bc0c6
>   >  Author: Matthias Dieter Wallnöfer<mdw at>
>   >  Date:   Tue Nov 23 15:15:09 2010 +0100
>   >
>   >      s4:objectclass LDB module - LSA objects - allow them if the SYSTEM control is specified
>   >
>   >      This fits better than the RELAX one.
> It looks to me like you've introduced a security hole. As far as I can
> tell, this means all LSA CreateTrustedDomain() calls now happen as
> SYSTEM, which would bypass all ACL checking.
> Also, why change from RELAX to SYSTEM at all? We should only ever do
> something as SYSTEM if we really need ACL bypass, and only when we
> have already done careful access checking in the call to ensure the
> user is allowed to perform this operation.
> Cheers, Tridge

More information about the samba-technical mailing list