Simo, > I have not investigated too much further, but if you do not see any > further name transfer, I presume, that once the name-number pair have > been transfered to the BDC, than the PDC can send numbers only.
Interesting, that is certainly a possibility. One of the reasons this interests me is that I am debating whether to store the privileges.tdb indexed by name or by number. By name seems to match the LSA interface, but I'm concerned that it won't match the SAMR interface well. I'm also thinking of adding more privileges, beyond that Microsoft define. For example, we currently have a number of smb.conf settings that match up quite well with the way privileges work and that we could define as privileges, allowing much easier per-user and per-group setting. A good example is 'dos filetimes'. We could have a 'DosFiletimes' privilege that is granted to those who need the functionality. This also affects the decision of indexing by name or number. There are currently 19 privileges that I know of defined by Win2000. If we add a few for Samba specific privileges, and Microsoft add a few in future releases of Windows then we could easily end up with more than 32, which would make simple bit masks tricky on machines without a 64 bit integer. Finally, we will need an admin interface for privileges. The two possible ways to do this are a local 'net privilege' command that manipulates directly via pdb, or a remote command like 'net rpc privilege' that manipulates via MSRPC. The advantage of 'net rpc privilege' is that it will work against remote servers. The advantage of a local command is that it will work when smbd is not running. Or maybe we should have 'net rpc privilege' and a local edit via pdbedit? Cheers, Tridge