Hi All,
I'm trying to add a user to a group using
/usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password
The user is added to the group as far as I can tell but the command
returns NT_STATUS_ACCESS_DENIED
This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both
configured to lookup users and groups in LDAP.
/usr/local/samba/bin/net rpc group members room11 -Uroot%password
CROOMTEST\dunk
Trying to remove the user from the group returns
NT_STATUS_MEMBER_NOT_IN_GROUP and the user
is not removed from the group in LDAP (running smbldap-groupmod manually
removes the user from LDAP)
In smb.conf, I have
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
"%g"
With log level set to 10 I see the following for the add that may or may
not be relevant.
Should the access check granted and required values be equal?
[2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297)
api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER
[2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323)
api_rpc_cmds[22].fn == 200be4
samr_AddGroupMember: struct samr_AddGroupMember
in: struct samr_AddGroupMember
group_handle : *
group_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
05000000-0000-0000-b248-b49e90510000
rid : 0x00000bb8 (3000)
flags : 0x00000005 (5)
[2008/08/25 12:59:48, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168)
Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48
B4 9E ........ .....H..
[010] 90 51 00 00 .Q..
[2008/08/25 12:59:48, 5]
rpc_server/srv_samr_nt.c:access_check_samr_function(227)
_samr_AddGroupMember: access check ((granted: 00000f001f; required:
0000000004)
[2008/08/25 12:59:48, 10]
rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651)
sid is S-1-5-21-440367617-1876916578-3462541782-3003
[2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132)
get_domain_group_from_sid
...
[2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352)
smb_add_user_group: Running the command
`/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"' gave 0
[2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122)
sys_getgrouplist: user [dunk]
[2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
...
[2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170)
LEGACY: gid 512 -> sid S-1-5-21-440367617-1876916578-3462541782-512
samr_AddGroupMember: struct samr_AddGroupMember
out: struct samr_AddGroupMember
result : NT_STATUS_ACCESS_DENIED
For delmem I again get the same access check granted value
_samr_DeleteGroupMember: access check ((granted: 00000f001f;
required: 0000000008)
then
Get_Pwnam_internals did find user [dunk]!
[2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213)
LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 -> uid 1000
samr_DeleteGroupMember: struct samr_DeleteGroupMember
out: struct samr_DeleteGroupMember
result : NT_STATUS_MEMBER_NOT_IN_GROUP
Any thoughts or pointers as to where I should be looking?
Thanks,
Duncan
--
The University of St Andrews is a charity registered in Scotland : No SC013532
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba