Re: [Samba] rpc command function failed! (NT_STATUS_ACCESS_DENIED) trying to grant privileges - 3.0.23a

2006-07-25 Thread Paul Griffith 
On Tue, Jul 25, 2006 at 12:37:43PM -0500, Gerald (Jerry) Carter wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Paul Griffith wrote:
> > Greetings,
> > 
> > I am in the process of testing Samba 3.0.23a with our own passdb
> > plugin. 
> ...
> > $ net -d 3 -S JAZZY rpc rights grant 'JAZZY\tech' 
> >   SeMachineAccountPrivilege
> ...
> > Failed to grant privileges for JAZZY\tech (NT_STATUS_ACCESS_DENIED)
> >   rpc command function failed! (NT_STATUS_ACCESS_DENIED)
> >   return code = 1
> > -
> > 
> > What could be causing this error? The only thing that 
> > catches my eyes is the following
> ...
> >   lsa_io_sec_qos: length c does not match size 8
> 
> I think you need to look at the server logs and not the
> client logs to debug this. I'm pretty sure this error message
> is not the problem though.
> 
> 
> 
> 
> 
> cheers, jerry
> =


I wonder if this is the cause of my problem. I see Samba is trying to
see if the group exists with a getsampwnam() call, but a check of
3.0.20a shows the same behaviour, and the same results (user does not
exist), but I can still assign rights.

Does 3.0.23a need a successfult lookup of a group name to assign
rights?


[2006/07/25 15:07:11, 5] pdb_udb.c:pdb_udb_getsampwnam(540)
  pdb_udb_getsampwnam: search by name: [tech]
[2006/07/25 15:07:11, 5] pdb_udb.c:pdb_udb_getsampwnam(575)
  pdb_udb_getsampwnam: search key: [tech:user]
[2006/07/25 15:07:11, 2] pdb_udb.c:udb_cmd(133)
  udb_cmd: sending: udb get tech:user name
[2006/07/25 15:07:11, 2] pdb_udb.c:udb_cmd(144)
  udb_cmd: result: error record tech:user does not exist
[2006/07/25 15:07:11, 0] pdb_udb.c:udb_to_sam(314)
  udb_to_sam: record [tech:user] does not exist
[2006/07/25 15:07:11, 5] pdb_udb.c:pdb_udb_getsampwnam(580)
  pdb_udb_getsampwnam: unable to locate user [tech]


Thanks
Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] rpc command function failed! (NT_STATUS_ACCESS_DENIED) trying to grant privileges - 3.0.23a

2006-07-25 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Paul Griffith wrote:
> Greetings,
> 
> I am in the process of testing Samba 3.0.23a with our own passdb
> plugin. 
...
> $ net -d 3 -S JAZZY rpc rights grant 'JAZZY\tech' 
>   SeMachineAccountPrivilege
...
> Failed to grant privileges for JAZZY\tech (NT_STATUS_ACCESS_DENIED)
>   rpc command function failed! (NT_STATUS_ACCESS_DENIED)
>   return code = 1
> -
> 
> What could be causing this error? The only thing that 
> catches my eyes is the following
...
>   lsa_io_sec_qos: length c does not match size 8

I think you need to look at the server logs and not the
client logs to debug this. I'm pretty sure this error message
is not the problem though.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFExlbnIR7qMdg1EfYRAkSMAJ9J4mTuaZ2UUJTVHoNloYX8ENEkggCg0Oa8
2chmrdstEM+3YhqQplJMINo=
=TrK+
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] rpc command function failed! (NT_STATUS_ACCESS_DENIED) trying to grant privileges - 3.0.23a

2006-07-25 Thread Paul Griffith 
Greetings,

I am in the process of testing Samba 3.0.23a with our own passdb
plugin. As part of mytesting I am trying to join the domin so here are
the steps I take...


1 - get local sid
/usr/local/samba/bin/net getlocalsid
SID for domain JAZZY is: S-1-5-21-1016995387-3159270912-1426853295

2 - create group mappings
[EMAIL PROTECTED] ~]$ /usr/local/samba/bin/net groupmap list
Domain Users (S-1-5-21-1016995387-3159270912-1426853295-513) -> users
Domain Admins (S-1-5-21-1016995387-3159270912-1426853295-512) -> tech
Domain Guests (S-1-5-21-1016995387-3159270912-1426853295-514) -> nobody
[EMAIL PROTECTED] ~]$ 


3 - Assign  privileges to tech group so they can join machines to the
domain.

net -d 3 -S JAZZY rpc rights grant 'JAZZY\tech' SeMachineAccountPrivilege

[EMAIL PROTECTED] sbin]$ /usr/local/samba/bin/net -d 3 -S JAZZY rpc rights 
grant 'JAZZY\tech' SeMachineAccountPrivilege


[2006/07/25 11:37:50, 3] param/loadparm.c:lp_load(4945)
  lp_load: refreshing parameters
[2006/07/25 11:37:50, 3] param/loadparm.c:init_globals(1410)
  Initialising global parameters
[2006/07/25 11:37:50, 3] param/params.c:pm_process(572)
  params.c:pm_process() - Processing configuration file
  "/usr/local/samba/lib/smb.conf"
[2006/07/25 11:37:50, 3] param/loadparm.c:do_section(3687)
  Processing section "[global]"
[2006/07/25 11:37:50, 1] param/loadparm.c:lp_do_parameter(3426)
  WARNING: The "printer admin" option is deprecated
[2006/07/25 11:37:50, 2] lib/interface.c:add_interface(81)
  added interface ip=130.xx.xx.xx bcast=130.xx.xx.xx
  nmask=255.255.255.0
[2006/07/25 11:37:50, 3] libsmb/namequery.c:resolve_lmhosts(939)
  resolve_lmhosts: Attempting lmhosts lookup for name JAZZY<0x20>
[2006/07/25 11:37:50, 3] libsmb/namequery.c:resolve_wins(836)
  resolve_wins: Attempting wins lookup for name JAZZY<0x20>
[2006/07/25 11:37:50, 3] libsmb/namequery.c:resolve_wins(875)
  resolve_wins: using WINS server 130.xx.xx.xx and tag '*'
[2006/07/25 11:37:50, 2] libsmb/namequery.c:name_query(577)
  Got a positive name query response from 130.xx.xx.xx ( 130.xx.xx.xx
  )
Password:
[2006/07/25 11:38:00, 3]
libsmb/cliconnect.c:cli_start_connection(1417)
  Connecting to host=JAZZY
[2006/07/25 11:38:00, 3] lib/util_sock.c:open_socket_out(874)
  Connecting to 130.xx.xx.xx at port 445
[2006/07/25 11:38:00, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(723)
  Doing spnego session setup (blob length=58)
[2006/07/25 11:38:00, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(748)
  got OID=1 3 6 1 4 1 311 2 2 10
[2006/07/25 11:38:00, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(757)
  got principal=NONE
[2006/07/25 11:38:00, 3]
libsmb/ntlmssp.c:ntlmssp_client_challenge(941)
  Got challenge flags:
[2006/07/25 11:38:00, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60890215
[2006/07/25 11:38:00, 3]
libsmb/ntlmssp.c:ntlmssp_client_challenge(963)
  NTLMSSP: Set final flags:
[2006/07/25 11:38:00, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60080215
[2006/07/25 11:38:00, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
  NTLMSSP Sign/Seal - Initialising with flags:
[2006/07/25 11:38:00, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60080215
[2006/07/25 11:38:00, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine JAZZY pipe \lsarpc fnum 0x7622 bind
  request returned ok.
[2006/07/25 11:38:00, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine JAZZY pipe \lsarpc fnum 0x7623 bind
  request returned ok.
[2006/07/25 11:38:00, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
  lsa_io_sec_qos: length c does not match size 8
[2006/07/25 11:38:00, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
  lsa_io_sec_qos: length c does not match size 8
Failed to grant privileges for JAZZY\tech (NT_STATUS_ACCESS_DENIED)
[2006/07/25 11:38:00, 1] utils/net_rpc.c:run_rpc_command(170)
  rpc command function failed! (NT_STATUS_ACCESS_DENIED)
[2006/07/25 11:38:00, 2] utils/net.c:main(988)
  return code = 1
-

What could be causing this error? The only thing that catches my eyes
is the following

[2006/07/25 11:38:00, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
  lsa_io_sec_qos: length c does not match size 8
[2006/07/25 11:38:00, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
  lsa_io_sec_qos: length c does not match size 8

Anyone have any pointers ?

Thanks
Paul


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba