Registry ACLs and credentials
Andrew Bartlett
abartlet at samba.org
Mon Dec 12 05:23:36 GMT 2005
I've been working on a secure, remote LDAP backend for Samba4, which has
required some re-engineering work. This showed up all the callers to
ldb_wrap_connect(), and this naturally includes the Samba4 registry.
Currently we entirely ignore the issue, but with the main LDB acls work
ongoing, I wondered how we intended to handle this?
I was hoping we might be able to re-use the same module in both cases,
which raises my real question: Can someone who understands the registry
layer please plumb the session_info and credentials information from the
callers into the registry? (The current layering makes my head spin a
bit...)
This should also allow a forwarded registry (with krb5 forwarded
tickets), authentication on a remote ldb backed and other neat things.
In ldb we will shortly pass down:
- the session_info, which is typically the system token in ldbedit or
the user's own token in smbd.
- a separate set of credentials, to override the above, so that ldbedit
will use command line parameters.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051211/bf045ed8/attachment.bin
More information about the samba-technical
mailing list