On Wed, 2 Oct 2002, Andrew Bartlett wrote: > > This seems like a lot of duplication of code and can lead to > > "There's a bug in SAM1 but not SAM2". If the access checks > > will always be the same, why push them into the SAM module and > > force each write to cut-n-paste security descriptor code. > > Yes, I am worried about that a bit. The main issue is that I would like > a single read from LDAP - so we don't get a race there. But we could do > it 'after the fact', and get each module to pass up the security > descriptor to the SAM interface layer.
Ahhh....ok I see now. But it still seems like a lot of duplicated code. Taking another perspective, i'm still not convinced why a security descriptor on each SAM object is needed. What do we gain by it at the cost of added complexity? > > So a SAM is a passdb with ACL's. What else? > > Groups and policies thown in, but it's not really meant to be that By policies you mean "rights" like "backup files" ? > massive. One step at a time and such things. Also a move to NTTIME in > the interfaces, and an attempt to cope with a wider scope of problems. What "wider scope of problems"? Without knowing what you are trying to address, it's pretty hard to comment. > Mostly it's a rework so we could move further forward then passdb could > reasonably be streached. It sounds big, but it really isn't... cheers, jerry --------------------------------------------------------------------- Hewlett-Packard http://www.hp.com SAMBA Team http://www.samba.org -- http://www.plainjoe.org "SAMS Teach Yourself Samba in 24 Hours" 2ed. ISBN 0-672-32269-2 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--
