John H Terpstra wrote:
On Monday 25 August 2008 08:56:23 Duncan Brannen wrote:
Hi All,
I'm trying to add a user to a group using
/usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password
The user is added to the group as far as I can tell but the command
returns NT_STATUS_ACCESS_DENIED
This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both
configured to lookup users and groups in LDAP.
/usr/local/samba/bin/net rpc group members room11 -Uroot%password
CROOMTEST\dunk
Trying to remove the user from the group returns
NT_STATUS_MEMBER_NOT_IN_GROUP and the user
is not removed from the group in LDAP (running smbldap-groupmod manually
removes the user from LDAP)
In smb.conf, I have
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
"%g"
With log level set to 10 I see the following for the add that may or may
not be relevant.
Should the access check granted and required values be equal?
[2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297)
api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER
[2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323)
api_rpc_cmds[22].fn == 200be4
samr_AddGroupMember: struct samr_AddGroupMember
in: struct samr_AddGroupMember
group_handle : *
group_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
05000000-0000-0000-b248-b49e90510000
rid : 0x00000bb8 (3000)
flags : 0x00000005 (5)
[2008/08/25 12:59:48, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168)
Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48
B4 9E ........ .....H..
[010] 90 51 00 00 .Q..
[2008/08/25 12:59:48, 5]
rpc_server/srv_samr_nt.c:access_check_samr_function(227)
_samr_AddGroupMember: access check ((granted: 00000f001f; required:
0000000004)
[2008/08/25 12:59:48, 10]
rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651)
sid is S-1-5-21-440367617-1876916578-3462541782-3003
[2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132)
get_domain_group_from_sid
...
[2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352)
smb_add_user_group: Running the command
`/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"' gave 0
[2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122)
sys_getgrouplist: user [dunk]
[2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
...
[2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170)
LEGACY: gid 512 -> sid S-1-5-21-440367617-1876916578-3462541782-512
samr_AddGroupMember: struct samr_AddGroupMember
out: struct samr_AddGroupMember
result : NT_STATUS_ACCESS_DENIED
For delmem I again get the same access check granted value
_samr_DeleteGroupMember: access check ((granted: 00000f001f;
required: 0000000008)
then
Get_Pwnam_internals did find user [dunk]!
[2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213)
LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 -> uid 1000
samr_DeleteGroupMember: struct samr_DeleteGroupMember
out: struct samr_DeleteGroupMember
result : NT_STATUS_MEMBER_NOT_IN_GROUP
Any thoughts or pointers as to where I should be looking?
Have you tried to execute this script manually?
Example:
smbldap-useradd -G new_group user_name
If that works, check that you gave Samba permission to update the LDAP
directory. Did you execute the following?:
smbpasswd -w LDAP_Secret_Password
also, check that the user you are using to do this, and/or the group that user
belongs to, has the rights and privileges needed to do this:
net rpc rights list accounts -Uroot%password
- John T.
Hi John,
For what it's worth, the error message has gone now I'm using 3.2.2 and
padl's nss_ldap library and
I'm assuming it's the padl nss_ldap library that's solved it.
A cursory glance at the ldap logs and what happens there looks similar,
user still successfully added
to the group. If I'd kept digging at this it may have shown why the
groups were not showing up in windows.
Cheers,
Duncan
--
The University of St Andrews is a charity registered in Scotland : No SC013532
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
