Re: [Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED

2008-08-27 Thread Duncan Brannen

John H Terpstra wrote:

On Monday 25 August 2008 08:56:23 Duncan Brannen wrote:
  

Hi All,
  I'm trying to add a user to a group using

/usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password

The user is added to the group as far as I can tell but the command
returns NT_STATUS_ACCESS_DENIED

This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both
configured to lookup users and groups in LDAP.

/usr/local/samba/bin/net rpc group members room11 -Uroot%password
CROOMTEST\dunk

Trying to remove the user from the group returns
NT_STATUS_MEMBER_NOT_IN_GROUP and the user
is not removed from the group in LDAP (running smbldap-groupmod manually
removes the user from LDAP)

In smb.conf, I have
add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u
%g

With log level set to 10 I see the following for the add that may or may
not be relevant.

Should the access check granted and required values be equal?

[2008/08/25 12:59:48,  4] rpc_server/srv_pipe.c:api_rpcTNP(2297)
  api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER
[2008/08/25 12:59:48,  6] rpc_server/srv_pipe.c:api_rpcTNP(2323)
  api_rpc_cmds[22].fn == 200be4
  samr_AddGroupMember: struct samr_AddGroupMember
  in: struct samr_AddGroupMember
  group_handle : *
  group_handle: struct policy_handle
  handle_type  : 0x (0)
  uuid :
0500---b248-b49e9051
  rid  : 0x0bb8 (3000)
  flags: 0x0005 (5)
[2008/08/25 12:59:48,  4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168)
  Found policy hnd[0] [000] 00 00 00 00 05 00 00 00  00 00 00 00 B2 48
B4 9E   .H..
  [010] 90 51 00 00   .Q..
[2008/08/25 12:59:48,  5]
rpc_server/srv_samr_nt.c:access_check_samr_function(227)
  _samr_AddGroupMember: access check ((granted: 0f001f;  required:
04)
[2008/08/25 12:59:48, 10]
rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651)
  sid is S-1-5-21-440367617-1876916578-3462541782-3003
[2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132)
  get_domain_group_from_sid

...

[2008/08/25 12:59:50,  3] groupdb/mapping.c:smb_add_user_group(352)
  smb_add_user_group: Running the command
`/usr/local/sbin/smbldap-groupmod -m dunk room11' gave 0
[2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122)
  sys_getgrouplist: user [dunk]
[2008/08/25 12:59:50,  3] smbd/sec_ctx.c:push_sec_ctx(224)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
...
[2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170)
  LEGACY: gid 512 - sid S-1-5-21-440367617-1876916578-3462541782-512
  samr_AddGroupMember: struct samr_AddGroupMember
  out: struct samr_AddGroupMember
  result   : NT_STATUS_ACCESS_DENIED

For delmem I again get the same access check granted value
  _samr_DeleteGroupMember: access check ((granted: 0f001f;
required: 08)
then
  Get_Pwnam_internals did find user [dunk]!
[2008/08/25 14:41:10,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213)
  LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 - uid 1000
  samr_DeleteGroupMember: struct samr_DeleteGroupMember
  out: struct samr_DeleteGroupMember
  result   : NT_STATUS_MEMBER_NOT_IN_GROUP


Any thoughts or pointers as to where I should be looking?



Have you tried to execute this script manually?

Example:
smbldap-useradd -G new_group user_name

If that works, check that you gave Samba permission to update the LDAP 
directory.  Did you execute the following?:

smbpasswd -w LDAP_Secret_Password

also, check that the user you are using to do this, and/or the group that user 
belongs to,  has the rights and privileges needed to do this:

net rpc rights list accounts -Uroot%password

- John T.
  

Hi John,

For what it's worth, the error message has gone now I'm using 3.2.2 and 
padl's nss_ldap library and

I'm assuming it's the padl nss_ldap library that's solved it.

A cursory glance at the ldap logs and what happens there looks similar, 
user still successfully added
to the group. If I'd kept digging at this it may have shown why the 
groups were not showing up in windows.


Cheers,
 Duncan


--
The University of St Andrews is a charity registered in Scotland : No SC013532

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED

2008-08-26 Thread Duncan Brannen

John H Terpstra wrote:

On Monday 25 August 2008 08:56:23 Duncan Brannen wrote:
  

Hi All,
  I'm trying to add a user to a group using

/usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password

The user is added to the group as far as I can tell but the command
returns NT_STATUS_ACCESS_DENIED

This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both
configured to lookup users and groups in LDAP.

/usr/local/samba/bin/net rpc group members room11 -Uroot%password
CROOMTEST\dunk

Trying to remove the user from the group returns
NT_STATUS_MEMBER_NOT_IN_GROUP and the user
is not removed from the group in LDAP (running smbldap-groupmod manually
removes the user from LDAP)

In smb.conf, I have
add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u
%g

With log level set to 10 I see the following for the add that may or may
not be relevant.

Should the access check granted and required values be equal?

[2008/08/25 12:59:48,  4] rpc_server/srv_pipe.c:api_rpcTNP(2297)
  api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER
[2008/08/25 12:59:48,  6] rpc_server/srv_pipe.c:api_rpcTNP(2323)
  api_rpc_cmds[22].fn == 200be4
  samr_AddGroupMember: struct samr_AddGroupMember
  in: struct samr_AddGroupMember
  group_handle : *
  group_handle: struct policy_handle
  handle_type  : 0x (0)
  uuid :
0500---b248-b49e9051
  rid  : 0x0bb8 (3000)
  flags: 0x0005 (5)
[2008/08/25 12:59:48,  4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168)
  Found policy hnd[0] [000] 00 00 00 00 05 00 00 00  00 00 00 00 B2 48
B4 9E   .H..
  [010] 90 51 00 00   .Q..
[2008/08/25 12:59:48,  5]
rpc_server/srv_samr_nt.c:access_check_samr_function(227)
  _samr_AddGroupMember: access check ((granted: 0f001f;  required:
04)
[2008/08/25 12:59:48, 10]
rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651)
  sid is S-1-5-21-440367617-1876916578-3462541782-3003
[2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132)
  get_domain_group_from_sid

...

[2008/08/25 12:59:50,  3] groupdb/mapping.c:smb_add_user_group(352)
  smb_add_user_group: Running the command
`/usr/local/sbin/smbldap-groupmod -m dunk room11' gave 0
[2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122)
  sys_getgrouplist: user [dunk]
[2008/08/25 12:59:50,  3] smbd/sec_ctx.c:push_sec_ctx(224)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
...
[2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170)
  LEGACY: gid 512 - sid S-1-5-21-440367617-1876916578-3462541782-512
  samr_AddGroupMember: struct samr_AddGroupMember
  out: struct samr_AddGroupMember
  result   : NT_STATUS_ACCESS_DENIED

For delmem I again get the same access check granted value
  _samr_DeleteGroupMember: access check ((granted: 0f001f;
required: 08)
then
  Get_Pwnam_internals did find user [dunk]!
[2008/08/25 14:41:10,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213)
  LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 - uid 1000
  samr_DeleteGroupMember: struct samr_DeleteGroupMember
  out: struct samr_DeleteGroupMember
  result   : NT_STATUS_MEMBER_NOT_IN_GROUP


Any thoughts or pointers as to where I should be looking?



Have you tried to execute this script manually?

Example:
smbldap-useradd -G new_group user_name

If that works, check that you gave Samba permission to update the LDAP 
directory.  Did you execute the following?:

smbpasswd -w LDAP_Secret_Password

also, check that the user you are using to do this, and/or the group that user 
belongs to,  has the rights and privileges needed to do this:

net rpc rights list accounts -Uroot%password

- John T.
  
I haven't tried that script as I was trying to add an existing user to a 
current group, so samba calls


/usr/local/sbin/smbldap-groupmod -m dunk room11


The script does work and adds the user to the group in LDAP, the samba 
logs show the script returning 0
but the ACCESS_DENIED message still occurs, so I was wondering if 
something else should be happening

and it's broken in a way that I've not noticed yet.

net rpc rights list accounts ... returned

CROOMTEST\Domain Admins
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

but bin/net rpc rights list root .. return nothing so I explicitly added 
the rights to root as well but

still get the same error.

If I use useradd -G 

Re: [Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED

2008-08-25 Thread John H Terpstra
On Monday 25 August 2008 08:56:23 Duncan Brannen wrote:
 Hi All,
   I'm trying to add a user to a group using

 /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password

 The user is added to the group as far as I can tell but the command
 returns NT_STATUS_ACCESS_DENIED

 This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both
 configured to lookup users and groups in LDAP.

 /usr/local/samba/bin/net rpc group members room11 -Uroot%password
 CROOMTEST\dunk

 Trying to remove the user from the group returns
 NT_STATUS_MEMBER_NOT_IN_GROUP and the user
 is not removed from the group in LDAP (running smbldap-groupmod manually
 removes the user from LDAP)

 In smb.conf, I have
 add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g
 delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u
 %g

 With log level set to 10 I see the following for the add that may or may
 not be relevant.

 Should the access check granted and required values be equal?

 [2008/08/25 12:59:48,  4] rpc_server/srv_pipe.c:api_rpcTNP(2297)
   api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER
 [2008/08/25 12:59:48,  6] rpc_server/srv_pipe.c:api_rpcTNP(2323)
   api_rpc_cmds[22].fn == 200be4
   samr_AddGroupMember: struct samr_AddGroupMember
   in: struct samr_AddGroupMember
   group_handle : *
   group_handle: struct policy_handle
   handle_type  : 0x (0)
   uuid :
 0500---b248-b49e9051
   rid  : 0x0bb8 (3000)
   flags: 0x0005 (5)
 [2008/08/25 12:59:48,  4]
 rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168)
   Found policy hnd[0] [000] 00 00 00 00 05 00 00 00  00 00 00 00 B2 48
 B4 9E   .H..
   [010] 90 51 00 00   .Q..
 [2008/08/25 12:59:48,  5]
 rpc_server/srv_samr_nt.c:access_check_samr_function(227)
   _samr_AddGroupMember: access check ((granted: 0f001f;  required:
 04)
 [2008/08/25 12:59:48, 10]
 rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651)
   sid is S-1-5-21-440367617-1876916578-3462541782-3003
 [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132)
   get_domain_group_from_sid

 ...

 [2008/08/25 12:59:50,  3] groupdb/mapping.c:smb_add_user_group(352)
   smb_add_user_group: Running the command
 `/usr/local/sbin/smbldap-groupmod -m dunk room11' gave 0
 [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122)
   sys_getgrouplist: user [dunk]
 [2008/08/25 12:59:50,  3] smbd/sec_ctx.c:push_sec_ctx(224)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
 ...
 [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170)
   LEGACY: gid 512 - sid S-1-5-21-440367617-1876916578-3462541782-512
   samr_AddGroupMember: struct samr_AddGroupMember
   out: struct samr_AddGroupMember
   result   : NT_STATUS_ACCESS_DENIED

 For delmem I again get the same access check granted value
   _samr_DeleteGroupMember: access check ((granted: 0f001f;
 required: 08)
 then
   Get_Pwnam_internals did find user [dunk]!
 [2008/08/25 14:41:10,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
 [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213)
   LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 - uid 1000
   samr_DeleteGroupMember: struct samr_DeleteGroupMember
   out: struct samr_DeleteGroupMember
   result   : NT_STATUS_MEMBER_NOT_IN_GROUP


 Any thoughts or pointers as to where I should be looking?

Have you tried to execute this script manually?

Example:
smbldap-useradd -G new_group user_name

If that works, check that you gave Samba permission to update the LDAP 
directory.  Did you execute the following?:
smbpasswd -w LDAP_Secret_Password

also, check that the user you are using to do this, and/or the group that user 
belongs to,  has the rights and privileges needed to do this:
net rpc rights list accounts -Uroot%password

- John T.
-- 
John H Terpstra

Don't do as I do; Show me better! - Anonymous.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba