User database

Luke Kenneth Casson Leighton lkcl at samba-tng.org
Wed Mar 14 12:40:44 GMT 2001 

On Wed, 14 Mar 2001, Sander Striker wrote:

> > > Luke seems to believe the best way to go is to reimplement the entire
> > > daemon for every backend.
> > 
> > entire? no: everything but the low-level common routines.  i assumed that
> > people would know what i meant by low-level common routines: see other
> > reply for that.
> 
> We can just put a 'template' samrd in the repository. Makes it easier to
> implement different instances, since you only have to fill in callback
> functions.

good idea.

it should probably include the calls to se_access_check or equiv, where
you have to "fill in" the means to obtain the security descriptor to use,
off of your back-end db.  with a proviso saying that you don't _have_ to
use these se_access_check functions, you can do your own!

btw: time to cross-post to samba-technical, about that.  for tdb, andrew
and i, back in.... march 2000, worked out a really good api: tdbsec.c.

the principle was that you prepend "SEC-" to the key, and store a security
"blob" under that extra keyname.

you must also provide, to the TDB_SEC_CTXT, a "blob-interpreting"
function.

when performing any operation, for which we had to add TDB_MODIFY to get
the full list of operations needed, the key is prepended with "SEC-", the
blob obtained under that extra key, and this is passed to the
"blob-interpreting" function, along with the type of operation (mod, get,
insert, delete).

pretty neat.  liked it a lot.  really enjoyed working with andrew on it.


...now that i think about it, the only thing missing was an extra "user
input" blob which would need to be passed into the "blob-interpreting"
function.

in the example where that function is "se_access_check" or a wrapper
around it to convert TDB ops to NT-sec-access permissions, then the extra
"user input" blob is the current NT-user security context.  and the "blob"
under the keyname "SEC-"xxxx is the NT security descriptor.

luke

 ----- Luke Kenneth Casson Leighton <lkcl at samba-tng.org> -----

"i want a world of dreams, run by near-sighted visionaries"
"good.  that's them sorted out.  now, on _this_ world..."

More information about the samba-technical mailing list