On Sat, Jun 01, 2002 at 12:17:19AM +0200, Kai Krueger wrote: > currently, as far as I can see, the access control to the SAM database is > only based upon file access to the db-files. On normal installations > therefore only the root user can change, delete or add things instead of the > entire administrators group. As this is IMHO rather "unhelpfull", especially > if you are trying to administer your samba-server from windows machines, I'm > thinking about implementing a more "NT-like" access control to the SAM-db. > Is there currently anybody else working in that region?
I'm thinking more seriously about it, but will probably end up only putting hacks in 2.2 instead. (-: > I've started off with implementing default Security Descriptors for the > global SAM object, the domain object and the alias objects (only SD for user > objects were available till now), which are needed in the later to come Is there more than one SD for the SAM system? I thought there was only a global one. > se_access_check()s of the open/connect RPCs. These default SDs are based > upon the SDs I received from my Win2k pro workstation. I don't have access > to a Windows PDC, so I couldn't do it for global domain groups. :( How did you display these? I'm curious now. > However I don't know how to find out if those SIDs represent Users, Groups, > or Alliases, so SDs for useres are still always created in this case instead > of the correct ones. Does anybody know an easy way to figure out which is > correct? I think it's impossible to tell the type of a sid without doing a sid to name lookup. Tim.
