Re: [Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED
John H Terpstra wrote: On Monday 25 August 2008 08:56:23 Duncan Brannen wrote: Hi All, I'm trying to add a user to a group using /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password The user is added to the group as far as I can tell but the command returns NT_STATUS_ACCESS_DENIED This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both configured to lookup users and groups in LDAP. /usr/local/samba/bin/net rpc group members room11 -Uroot%password CROOMTEST\dunk Trying to remove the user from the group returns NT_STATUS_MEMBER_NOT_IN_GROUP and the user is not removed from the group in LDAP (running smbldap-groupmod manually removes the user from LDAP) In smb.conf, I have add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" With log level set to 10 I see the following for the add that may or may not be relevant. Should the access check granted and required values be equal? [2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297) api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER [2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323) api_rpc_cmds[22].fn == 200be4 samr_AddGroupMember: struct samr_AddGroupMember in: struct samr_AddGroupMember group_handle : * group_handle: struct policy_handle handle_type : 0x (0) uuid : 0500---b248-b49e9051 rid : 0x0bb8 (3000) flags: 0x0005 (5) [2008/08/25 12:59:48, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168) Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48 B4 9E .H.. [010] 90 51 00 00 .Q.. [2008/08/25 12:59:48, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(227) _samr_AddGroupMember: access check ((granted: 0f001f; required: 04) [2008/08/25 12:59:48, 10] rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651) sid is S-1-5-21-440367617-1876916578-3462541782-3003 [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132) get_domain_group_from_sid ... [2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352) smb_add_user_group: Running the command `/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"' gave 0 [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122) sys_getgrouplist: user [dunk] [2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 ... [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170) LEGACY: gid 512 -> sid S-1-5-21-440367617-1876916578-3462541782-512 samr_AddGroupMember: struct samr_AddGroupMember out: struct samr_AddGroupMember result : NT_STATUS_ACCESS_DENIED For delmem I again get the same access check granted value _samr_DeleteGroupMember: access check ((granted: 0f001f; required: 08) then Get_Pwnam_internals did find user [dunk]! [2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213) LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 -> uid 1000 samr_DeleteGroupMember: struct samr_DeleteGroupMember out: struct samr_DeleteGroupMember result : NT_STATUS_MEMBER_NOT_IN_GROUP Any thoughts or pointers as to where I should be looking? Have you tried to execute this script manually? Example: smbldap-useradd -G new_group user_name If that works, check that you gave Samba permission to update the LDAP directory. Did you execute the following?: smbpasswd -w LDAP_Secret_Password also, check that the user you are using to do this, and/or the group that user belongs to, has the rights and privileges needed to do this: net rpc rights list accounts -Uroot%password - John T. Hi John, For what it's worth, the error message has gone now I'm using 3.2.2 and padl's nss_ldap library and I'm assuming it's the padl nss_ldap library that's solved it. A cursory glance at the ldap logs and what happens there looks similar, user still successfully added to the group. If I'd kept digging at this it may have shown why the groups were not showing up in windows. Cheers, Duncan -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED
John H Terpstra wrote: On Monday 25 August 2008 08:56:23 Duncan Brannen wrote: Hi All, I'm trying to add a user to a group using /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password The user is added to the group as far as I can tell but the command returns NT_STATUS_ACCESS_DENIED This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both configured to lookup users and groups in LDAP. /usr/local/samba/bin/net rpc group members room11 -Uroot%password CROOMTEST\dunk Trying to remove the user from the group returns NT_STATUS_MEMBER_NOT_IN_GROUP and the user is not removed from the group in LDAP (running smbldap-groupmod manually removes the user from LDAP) In smb.conf, I have add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" With log level set to 10 I see the following for the add that may or may not be relevant. Should the access check granted and required values be equal? [2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297) api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER [2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323) api_rpc_cmds[22].fn == 200be4 samr_AddGroupMember: struct samr_AddGroupMember in: struct samr_AddGroupMember group_handle : * group_handle: struct policy_handle handle_type : 0x (0) uuid : 0500---b248-b49e9051 rid : 0x0bb8 (3000) flags: 0x0005 (5) [2008/08/25 12:59:48, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168) Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48 B4 9E .H.. [010] 90 51 00 00 .Q.. [2008/08/25 12:59:48, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(227) _samr_AddGroupMember: access check ((granted: 0f001f; required: 04) [2008/08/25 12:59:48, 10] rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651) sid is S-1-5-21-440367617-1876916578-3462541782-3003 [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132) get_domain_group_from_sid ... [2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352) smb_add_user_group: Running the command `/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"' gave 0 [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122) sys_getgrouplist: user [dunk] [2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 ... [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170) LEGACY: gid 512 -> sid S-1-5-21-440367617-1876916578-3462541782-512 samr_AddGroupMember: struct samr_AddGroupMember out: struct samr_AddGroupMember result : NT_STATUS_ACCESS_DENIED For delmem I again get the same access check granted value _samr_DeleteGroupMember: access check ((granted: 0f001f; required: 08) then Get_Pwnam_internals did find user [dunk]! [2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213) LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 -> uid 1000 samr_DeleteGroupMember: struct samr_DeleteGroupMember out: struct samr_DeleteGroupMember result : NT_STATUS_MEMBER_NOT_IN_GROUP Any thoughts or pointers as to where I should be looking? Have you tried to execute this script manually? Example: smbldap-useradd -G new_group user_name If that works, check that you gave Samba permission to update the LDAP directory. Did you execute the following?: smbpasswd -w LDAP_Secret_Password also, check that the user you are using to do this, and/or the group that user belongs to, has the rights and privileges needed to do this: net rpc rights list accounts -Uroot%password - John T. I haven't tried that script as I was trying to add an existing user to a current group, so samba calls /usr/local/sbin/smbldap-groupmod -m "dunk" "room11" The script does work and adds the user to the group in LDAP, the samba logs show the script returning 0 but the ACCESS_DENIED message still occurs, so I was wondering if something else should be happening and it's broken in a way that I've not noticed yet. net rpc rights list accounts ... returned CROOMTEST\Domain Admins SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege but bin/net rpc rights list root .. return nothing so I explicitly added the rights to root as well but still get the same error. If
Re: [Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED
On Monday 25 August 2008 08:56:23 Duncan Brannen wrote: > Hi All, > I'm trying to add a user to a group using > > /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password > > The user is added to the group as far as I can tell but the command > returns NT_STATUS_ACCESS_DENIED > > This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both > configured to lookup users and groups in LDAP. > > /usr/local/samba/bin/net rpc group members room11 -Uroot%password > CROOMTEST\dunk > > Trying to remove the user from the group returns > NT_STATUS_MEMBER_NOT_IN_GROUP and the user > is not removed from the group in LDAP (running smbldap-groupmod manually > removes the user from LDAP) > > In smb.conf, I have > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" > "%g" > > With log level set to 10 I see the following for the add that may or may > not be relevant. > > Should the access check granted and required values be equal? > > [2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297) > api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER > [2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323) > api_rpc_cmds[22].fn == 200be4 > samr_AddGroupMember: struct samr_AddGroupMember > in: struct samr_AddGroupMember > group_handle : * > group_handle: struct policy_handle > handle_type : 0x (0) > uuid : > 0500---b248-b49e9051 > rid : 0x0bb8 (3000) > flags: 0x0005 (5) > [2008/08/25 12:59:48, 4] > rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168) > Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48 > B4 9E .H.. > [010] 90 51 00 00 .Q.. > [2008/08/25 12:59:48, 5] > rpc_server/srv_samr_nt.c:access_check_samr_function(227) > _samr_AddGroupMember: access check ((granted: 0f001f; required: > 04) > [2008/08/25 12:59:48, 10] > rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651) > sid is S-1-5-21-440367617-1876916578-3462541782-3003 > [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132) > get_domain_group_from_sid > > ... > > [2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352) > smb_add_user_group: Running the command > `/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"' gave 0 > [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122) > sys_getgrouplist: user [dunk] > [2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > ... > [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170) > LEGACY: gid 512 -> sid S-1-5-21-440367617-1876916578-3462541782-512 > samr_AddGroupMember: struct samr_AddGroupMember > out: struct samr_AddGroupMember > result : NT_STATUS_ACCESS_DENIED > > For delmem I again get the same access check granted value > _samr_DeleteGroupMember: access check ((granted: 0f001f; > required: 08) > then > Get_Pwnam_internals did find user [dunk]! > [2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213) > LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 -> uid 1000 > samr_DeleteGroupMember: struct samr_DeleteGroupMember > out: struct samr_DeleteGroupMember > result : NT_STATUS_MEMBER_NOT_IN_GROUP > > > Any thoughts or pointers as to where I should be looking? Have you tried to execute this script manually? Example: smbldap-useradd -G new_group user_name If that works, check that you gave Samba permission to update the LDAP directory. Did you execute the following?: smbpasswd -w LDAP_Secret_Password also, check that the user you are using to do this, and/or the group that user belongs to, has the rights and privileges needed to do this: net rpc rights list accounts -Uroot%password - John T. -- John H Terpstra "Don't do as I do; Show me better!" - Anonymous. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED
Hi All, I'm trying to add a user to a group using /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password The user is added to the group as far as I can tell but the command returns NT_STATUS_ACCESS_DENIED This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both configured to lookup users and groups in LDAP. /usr/local/samba/bin/net rpc group members room11 -Uroot%password CROOMTEST\dunk Trying to remove the user from the group returns NT_STATUS_MEMBER_NOT_IN_GROUP and the user is not removed from the group in LDAP (running smbldap-groupmod manually removes the user from LDAP) In smb.conf, I have add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" With log level set to 10 I see the following for the add that may or may not be relevant. Should the access check granted and required values be equal? [2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297) api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER [2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323) api_rpc_cmds[22].fn == 200be4 samr_AddGroupMember: struct samr_AddGroupMember in: struct samr_AddGroupMember group_handle : * group_handle: struct policy_handle handle_type : 0x (0) uuid : 0500---b248-b49e9051 rid : 0x0bb8 (3000) flags: 0x0005 (5) [2008/08/25 12:59:48, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168) Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48 B4 9E .H.. [010] 90 51 00 00 .Q.. [2008/08/25 12:59:48, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(227) _samr_AddGroupMember: access check ((granted: 0f001f; required: 04) [2008/08/25 12:59:48, 10] rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651) sid is S-1-5-21-440367617-1876916578-3462541782-3003 [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132) get_domain_group_from_sid ... [2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352) smb_add_user_group: Running the command `/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"' gave 0 [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122) sys_getgrouplist: user [dunk] [2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 ... [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170) LEGACY: gid 512 -> sid S-1-5-21-440367617-1876916578-3462541782-512 samr_AddGroupMember: struct samr_AddGroupMember out: struct samr_AddGroupMember result : NT_STATUS_ACCESS_DENIED For delmem I again get the same access check granted value _samr_DeleteGroupMember: access check ((granted: 0f001f; required: 08) then Get_Pwnam_internals did find user [dunk]! [2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213) LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 -> uid 1000 samr_DeleteGroupMember: struct samr_DeleteGroupMember out: struct samr_DeleteGroupMember result : NT_STATUS_MEMBER_NOT_IN_GROUP Any thoughts or pointers as to where I should be looking? Thanks, Duncan -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba