[Samba] Using NetWkstaGetInfo / NetWkstaUserEnum with samba server

Ian Puleston ipuleston at SonicWALL.com
Fri Jul 17 15:04:19 MDT 2009


Hi,

I'm trying to get a Linux machine set up so that it will respond to
NetWkstaGetInfo and/or NetWkstaUserEnum NetAPI requests from a Windows
machine. I have samba configured and working to authenticate in the
Windows domain with smb, nmb and winbind daemons running, and can browse
shares on that machine from a Window PC, authenticating as either the
domain administrator or a domain user.

So I'm now trying to run a program on a Windows server that sends the
above NetAPI requests to Samba on the Linux machine, being logged in to
that Windows server as the domain administrator. NetWkstaGetInfo has 3
levels (100 to 102) with 100 requiring only guest access. Level 100
works OK, but levels 101/102 return error 124 (invalid level).
NetWkstaUserEnum returns error 1745 (RPC_S_PROCNUM_OUT_OF_RANGE).

I have samba logging turned on with log level set to 3, and it logs
successfully authenticating the domain administrator
(sd80\administrator) and receiving the NetWksta... command in both cases
(see below), so any idea why it may be returning these errors? On
authenticating the user I do see "get_privileges: No privileges assigned
to SID" logged - could this be the reason, the account does not have the
privilege to run these commands on the Linux machine? If so is there a
way to give the account that privilege?

Here is the samba log of an attempt to run NetWkstaUserEnum:

[2009/07/17 13:57:31,  3] auth/auth.c:check_ntlm_password(220)
  check_ntlm_password:  Checking password for unmapped user
[SD80]\[Administrator]@[IANSERVER] with the new password interface
[2009/07/17 13:57:31,  3] auth/auth.c:check_ntlm_password(223)
  check_ntlm_password:  mapped user is:
[SD80]\[Administrator]@[IANSERVER]
[2009/07/17 13:57:31,  3] smbd/sec_ctx.c:push_sec_ctx(224)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/07/17 13:57:31,  3] smbd/uid.c:push_conn_ctx(407)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/17 13:57:31,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/17 13:57:31,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/17 13:57:31,  3] auth/auth.c:check_ntlm_password(269)
  check_ntlm_password: winbind authentication for user [Administrator]
succeeded
[2009/07/17 13:57:31,  3] smbd/sec_ctx.c:push_sec_ctx(224)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/07/17 13:57:31,  3] smbd/uid.c:push_conn_ctx(407)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/17 13:57:31,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/17 13:57:31,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/17 13:57:31,  2] auth/auth.c:check_ntlm_password(308)
  check_ntlm_password:  authentication for user [Administrator] ->
[Administrator] -> [SD80+administrator] succeeded
[2009/07/17 13:57:31,  3] smbd/sec_ctx.c:push_sec_ctx(224)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/07/17 13:57:31,  3] smbd/uid.c:push_conn_ctx(407)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/17 13:57:31,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/17 13:57:31,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/17 13:57:31,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID
[S-1-5-21-4023909512-3739307249-2032274589-500]
[2009/07/17 13:57:31,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID
[S-1-5-21-4023909512-3739307249-2032274589-513]
[2009/07/17 13:57:31,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2009/07/17 13:57:31,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID [S-1-5-11]
[2009/07/17 13:57:31,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID
[S-1-5-21-4023909512-3739307249-2032274589-520]
[2009/07/17 13:57:31,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID
[S-1-5-21-4023909512-3739307249-2032274589-519]
[2009/07/17 13:57:31,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID
[S-1-5-21-4023909512-3739307249-2032274589-518]
[2009/07/17 13:57:31,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID
[S-1-5-21-4023909512-3739307249-2032274589-512]
[2009/07/17 13:57:31,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID [S-1-5-32-545]
[2009/07/17 13:57:31,  3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(337)
  NTLMSSP Sign/Seal - Initialising with flags:
[2009/07/17 13:57:31,  3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0xa2088205
[2009/07/17 13:57:31,  3] smbd/password.c:register_existing_vuid(320)
  register_existing_vuid: User name: SD80+administrator	Real name: 
[2009/07/17 13:57:31,  3] smbd/password.c:register_existing_vuid(332)
  register_existing_vuid: UNIX uid 601 is UNIX user SD80+administrator,
and will be vuid 100
[2009/07/17 13:57:31,  3] smbd/password.c:register_existing_vuid(353)
  Adding homes service for user 'SD80+administrator' using home
directory: '/home/SD80/administrator'
[2009/07/17 13:57:31,  3] param/loadparm.c:lp_add_home(5856)
  adding home's share [administrator] for user 'SD80+administrator' at
'/home/SD80/administrator'
[2009/07/17 13:57:31,  3] smbd/process.c:process_smb(1550)
  Transaction 3 of length 98 (0 toread)
[2009/07/17 13:57:31,  3] smbd/process.c:switch_message(1361)
  switch message SMBtconX (pid 4387) conn 0x0
[2009/07/17 13:57:31,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/17 13:57:31,  3] smbd/service.c:make_connection_snum(940)
  Connect path is '/tmp' for service [IPC$]
[2009/07/17 13:57:31,  3] lib/util_seaccess.c:se_access_check(249)
[2009/07/17 13:57:31,  3] lib/util_seaccess.c:se_access_check(252)
  se_access_check: user sid is
S-1-5-21-4023909512-3739307249-2032274589-500
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-513
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-520
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-519
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-518
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-512
  se_access_check: also S-1-5-32-545
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-22-1-601
  se_access_check: also S-1-22-2-604
  se_access_check: also S-1-22-2-607
  se_access_check: also S-1-22-2-608
  se_access_check: also S-1-22-2-609
  se_access_check: also S-1-22-2-610
  se_access_check: also S-1-22-2-603
  se_access_check: also S-1-22-2-602
[2009/07/17 13:57:31,  3] smbd/vfs.c:vfs_init_default(96)
  Initialising default vfs hooks
[2009/07/17 13:57:31,  3] smbd/vfs.c:vfs_init_custom(130)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2009/07/17 13:57:31,  3] lib/util_seaccess.c:se_access_check(249)
[2009/07/17 13:57:31,  3] lib/util_seaccess.c:se_access_check(252)
  se_access_check: user sid is
S-1-5-21-4023909512-3739307249-2032274589-500
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-513
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-520
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-519
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-518
  se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-512
  se_access_check: also S-1-5-32-545
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-22-1-601
  se_access_check: also S-1-22-2-604
  se_access_check: also S-1-22-2-607
  se_access_check: also S-1-22-2-608
  se_access_check: also S-1-22-2-609
  se_access_check: also S-1-22-2-610
  se_access_check: also S-1-22-2-603
  se_access_check: also S-1-22-2-602
[2009/07/17 13:57:31,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (601, 604) - sec_ctx_stack_ndx = 0
[2009/07/17 13:57:31,  3] smbd/service.c:make_connection_snum(1194)
  ianserver (::ffff:192.168.168.3) connect to service IPC$ initially as
user SD80+administrator (uid=601, gid=604) (pid 4387)
[2009/07/17 13:57:31,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/17 13:57:31,  3] smbd/reply.c:reply_tcon_and_X(766)
  tconX service=IPC$ 
[2009/07/17 13:57:31,  3] smbd/process.c:process_smb(1550)
  Transaction 4 of length 104 (0 toread)
[2009/07/17 13:57:31,  3] smbd/process.c:switch_message(1361)
  switch message SMBntcreateX (pid 4387) conn 0x242f690
[2009/07/17 13:57:31,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (601, 604) - sec_ctx_stack_ndx = 0
[2009/07/17 13:57:31,  3] smbd/nttrans.c:nt_open_pipe(320)
  nt_open_pipe: Known pipe wkssvc opening.
[2009/07/17 13:57:31,  3] smbd/process.c:process_smb(1550)
  Transaction 5 of length 184 (0 toread)
[2009/07/17 13:57:31,  3] smbd/process.c:switch_message(1361)
  switch message SMBwriteX (pid 4387) conn 0x242f690
[2009/07/17 13:57:31,  3] rpc_server/srv_pipe.c:api_pipe_bind_req(1564)
  api_pipe_bind_req: \PIPE\wkssvc -> \PIPE\wkssvc
[2009/07/17 13:57:31,  3] rpc_server/srv_pipe.c:check_bind_req(991)
  check_bind_req for \PIPE\wkssvc
[2009/07/17 13:57:31,  3] smbd/pipes.c:reply_pipe_write_and_X(251)
  writeX-IPC pnum=7498 nwritten=116
[2009/07/17 13:57:31,  3] smbd/process.c:process_smb(1550)
  Transaction 6 of length 63 (0 toread)
[2009/07/17 13:57:31,  3] smbd/process.c:switch_message(1361)
  switch message SMBreadX (pid 4387) conn 0x242f690
[2009/07/17 13:57:31,  3] smbd/pipes.c:reply_pipe_read_and_X(301)
  readX-IPC pnum=7498 min=1024 max=1024 nread=68
[2009/07/17 13:57:31,  3] smbd/process.c:process_smb(1550)
  Transaction 7 of length 196 (0 toread)
[2009/07/17 13:57:31,  3] smbd/process.c:switch_message(1361)
  switch message SMBtrans (pid 4387) conn 0x242f690
[2009/07/17 13:57:31,  3] smbd/ipc.c:handle_trans(436)
  trans <\PIPE\> data=108 params=0 setup=2
[2009/07/17 13:57:31,  3] smbd/ipc.c:named_pipe(387)
  named pipe command on <> name
[2009/07/17 13:57:31,  3] smbd/ipc.c:api_fd_reply(345)
  Got API command 0x26 on pipe "wkssvc" (pnum 7498)
[2009/07/17 13:57:31,  3]
rpc_server/srv_pipe_hnd.c:free_pipe_context(519)
  free_pipe_context: destroying talloc pool of size 118
[2009/07/17 13:57:31,  3] rpc_server/srv_pipe.c:api_rpcTNP(2308)
  api_rpcTNP: rpc command: WKSSVC_NETWKSTAENUMUSERS
[2009/07/17 13:57:31,  3]
rpc_server/srv_pipe_hnd.c:free_pipe_context(519)
  free_pipe_context: destroying talloc pool of size 0
[2009/07/17 13:57:31,  3] smbd/process.c:process_smb(1550)
  Transaction 8 of length 45 (0 toread)
[2009/07/17 13:57:31,  3] smbd/process.c:switch_message(1361)
  switch message SMBclose (pid 4387) conn 0x242f690


More information about the samba mailing list