[PATCH] tidy-up and clarification in objectclass module (was Re: SYSTEM vs RELAX in lsa)

Andrew Bartlett abartlet at samba.org
Thu Nov 25 16:32:50 MST 2010

On Thu, 2010-11-25 at 09:40 +0100, Matthias Dieter Wallnöfer wrote:
> Hi tridge,
> the best explaination you will find in my dochelp request which was also 
> logged on "cifs-protocol". Basically we have to deny modifications of 
> trusted domain and secret objects over LDAP.
> Now I've seen about the possibility of untrusted connections. I'm 
> working on a patch which uses this one - should be much safer, or?

I've looked at the discussion on cifs-protocol, and it seems we may need
to ensure that the LSA operations are protected directly not just by
virtue of the DS ACLs that may apply to LDAP operations.

That is, we currently assume in much of our SAMR and LSA server that the
DS layer will do the right access control.  We already know that this
isn't strictly true, and we should consider if we have to do more access
control at the LSA level.

On your new patch, I was reviewing it with tridge, and I think this
additional patch may improve performance and help others understand the
subtle interaction here.  I also attach another tidy-up for your review.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s4-dsdb-Reorganise-and-clarify-the-LSA-objectClass-c.patch
Type: text/x-patch
Size: 3774 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101126/67046955/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-objectclass-Use-a-specific-local-variable-name-no.patch
Type: text/x-patch
Size: 1787 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101126/67046955/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101126/67046955/attachment.pgp>

More information about the samba-technical mailing list