On Sun, 2003-02-09 at 02:26, [EMAIL PROTECTED] wrote: > Simo, > > > I have not investigated too much further, but if you do not see any > > further name transfer, I presume, that once the name-number pair have > > been transfered to the BDC, than the PDC can send numbers only. > > Interesting, that is certainly a possibility. > > One of the reasons this interests me is that I am debating whether to > store the privileges.tdb indexed by name or by number. By name seems > to match the LSA interface, but I'm concerned that it won't match the > SAMR interface well.
yes, and woudl be painfully slow to check a string every time. my solution was to do an internal mapping for samba, but I'm not sure a bitmask is the best way to do it, I think that a list of uint32 is acceptable, so that we can really define 2^32 privileges. > I'm also thinking of adding more privileges, beyond that Microsoft > define. For example, we currently have a number of smb.conf settings > that match up quite well with the way privileges work and that we > could define as privileges, allowing much easier per-user and > per-group setting. A good example is 'dos filetimes'. We could have a > 'DosFiletimes' privilege that is granted to those who need the > functionality. > > This also affects the decision of indexing by name or number. There > are currently 19 privileges that I know of defined by Win2000. If we > add a few for Samba specific privileges, and Microsoft add a few in > future releases of Windows then we could easily end up with more than > 32, which would make simple bit masks tricky on machines without a 64 > bit integer. Yes, that what I , and before me Jean Francois, tought about that. Furthermore I think the while it is certainly a possibility that MS programmers made the transfer by string as a mistake, in realty I think it has been on purpose, so that they could add new priveleges easily if needed. I think our best bet could be to keep the string-number pair we receive from a PDC intact and associate to this pair a second number internal to samba. An interface that is able to map samba internal privilege number to windows string-number pair one should be provided so that if we discover new privilege names besides the ones we already know we can easily map them to a samba own privilege if needed (or map a known unused one to a samba one so that admins can manipulate it easily through windows interfaces). > Finally, we will need an admin interface for privileges. The two > possible ways to do this are a local 'net privilege' command that > manipulates directly via pdb, or a remote command like 'net rpc > privilege' that manipulates via MSRPC. The advantage of 'net rpc > privilege' is that it will work against remote servers. The advantage > of a local command is that it will work when smbd is not running. Or > maybe we should have 'net rpc privilege' and a local edit via pdbedit? Yes, it seem the best solution. Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399
signature.asc
Description: This is a digitally signed message part