John H Terpstra wrote:
On Monday 25 August 2008 08:56:23 Duncan Brannen wrote:
Hi All,
I'm trying to add a user to a group using
/usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password
The user is added to the group as far as I can tell but the command
returns NT_STATUS_ACCESS_DENIED
This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both
configured to lookup users and groups in LDAP.
/usr/local/samba/bin/net rpc group members room11 -Uroot%password
CROOMTEST\dunk
Trying to remove the user from the group returns
NT_STATUS_MEMBER_NOT_IN_GROUP and the user
is not removed from the group in LDAP (running smbldap-groupmod manually
removes the user from LDAP)
In smb.conf, I have
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
"%g"
With log level set to 10 I see the following for the add that may or may
not be relevant.
Should the access check granted and required values be equal?
[2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297)
api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER
[2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323)
api_rpc_cmds[22].fn == 200be4
samr_AddGroupMember: struct samr_AddGroupMember
in: struct samr_AddGroupMember
group_handle : *
group_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
05000000-0000-0000-b248-b49e90510000
rid : 0x00000bb8 (3000)
flags : 0x00000005 (5)
[2008/08/25 12:59:48, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168)
Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48
B4 9E ........ .....H..
[010] 90 51 00 00 .Q..
[2008/08/25 12:59:48, 5]
rpc_server/srv_samr_nt.c:access_check_samr_function(227)
_samr_AddGroupMember: access check ((granted: 00000f001f; required:
0000000004)
[2008/08/25 12:59:48, 10]
rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651)
sid is S-1-5-21-440367617-1876916578-3462541782-3003
[2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132)
get_domain_group_from_sid
...
[2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352)
smb_add_user_group: Running the command
`/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"' gave 0
[2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122)
sys_getgrouplist: user [dunk]
[2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
...
[2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170)
LEGACY: gid 512 -> sid S-1-5-21-440367617-1876916578-3462541782-512
samr_AddGroupMember: struct samr_AddGroupMember
out: struct samr_AddGroupMember
result : NT_STATUS_ACCESS_DENIED
For delmem I again get the same access check granted value
_samr_DeleteGroupMember: access check ((granted: 00000f001f;
required: 0000000008)
then
Get_Pwnam_internals did find user [dunk]!
[2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213)
LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 -> uid 1000
samr_DeleteGroupMember: struct samr_DeleteGroupMember
out: struct samr_DeleteGroupMember
result : NT_STATUS_MEMBER_NOT_IN_GROUP
Any thoughts or pointers as to where I should be looking?
Have you tried to execute this script manually?
Example:
smbldap-useradd -G new_group user_name
If that works, check that you gave Samba permission to update the LDAP
directory. Did you execute the following?:
smbpasswd -w LDAP_Secret_Password
also, check that the user you are using to do this, and/or the group that user
belongs to, has the rights and privileges needed to do this:
net rpc rights list accounts -Uroot%password
- John T.
I haven't tried that script as I was trying to add an existing user to a
current group, so samba calls
/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"
The script does work and adds the user to the group in LDAP, the samba
logs show the script returning 0
but the ACCESS_DENIED message still occurs, so I was wondering if
something else should be happening
and it's broken in a way that I've not noticed yet.
net rpc rights list accounts ... returned
CROOMTEST\Domain Admins
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
but bin/net rpc rights list root .. return nothing so I explicitly added
the rights to root as well but
still get the same error.
If I use useradd -G , the user is added to the supplementary group with
no error message. I've noticed
that unless I use -a to make them a windows user, I get an
NT_STATUS_NONE_MAPPED error,
if I use useradd -m -a -G ... then the user is added to the correct
supplementary groups and I can add
more groups using ../net rpc group addmem but with the
NT_STATUS_ACCESS_DENIED error message.
Given this, there seems to be no difference in the outcome, whether I
see the DENIED message or not,
the user is still added into the LDAP group. I'm assuming here that
there are no local databases used
for group information when using LDAP for both samba and OS?
Thanks,
Duncan
--
The University of St Andrews is a charity registered in Scotland : No SC013532
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
