[prev in list] [next in list] [prev in thread] [next in thread] 

List:       samba-technical
Subject:    Re: [PATCH] tidy-up and clarification in objectclass module (was
From:       Matthias Dieter Wallnöfer <mdw () samba ! org>
Date:       2010-11-26 8:56:26
Message-ID: 4CEF763A.90604 () samba ! org
[Download RAW message or body]

Please feel free to merge!

Andrew Bartlett wrote:
> On Thu, 2010-11-25 at 09:40 +0100, Matthias Dieter Wallnöfer wrote:
>    
>> Hi tridge,
>>
>> the best explaination you will find in my dochelp request which was also
>> logged on "cifs-protocol". Basically we have to deny modifications of
>> trusted domain and secret objects over LDAP.
>>
>> Now I've seen about the possibility of untrusted connections. I'm
>> working on a patch which uses this one - should be much safer, or?
>>      
> I've looked at the discussion on cifs-protocol, and it seems we may need
> to ensure that the LSA operations are protected directly not just by
> virtue of the DS ACLs that may apply to LDAP operations.
>
> That is, we currently assume in much of our SAMR and LSA server that the
> DS layer will do the right access control.  We already know that this
> isn't strictly true, and we should consider if we have to do more access
> control at the LSA level.
>
> On your new patch, I was reviewing it with tridge, and I think this
> additional patch may improve performance and help others understand the
> subtle interaction here.  I also attach another tidy-up for your review.
>
> Andrew Bartlett
>
>    

[prev in list] [next in list] [prev in thread] [next in thread]