[Samba] mod_auth_ntlm_winbind SSO
Patrick Jezek
patrick at jezek.ch
Wed Nov 6 03:54:09 MST 2013
Hello
We are trying to implement SSO with mod_auth_ntlm_winbind.
We followed the instructions on [1], but have the issue that users can
not authenticate with web browsers.
In addition to that document we did the following extra steps:
- chown root:winbind /var/lib/samba/winbindd_privileged/
- apache user (vagrant) is in group winbind
- net setauthuser -U vagrant
- smb.conf has: winbind use default domain = yes
The setup we have is the following:
Windows Server 2008R2 as DC
Client1: Windows 7 with IE9
Client2: OSX with Chrome and Safari
Apache runs on OpenSuse 12.1, Samba Version
3.6.3-34.20.1-2989-SUSE-SL12.1-x86_64
The setup on the Linux box can authenticate with the command line tools:
- kinit USERNAME gives exit status 0 (success full)
- /usr/bin/ntlm_auth --username=USERNAME --password=PASSWORD gives:
NT_STATUS_OK: Success (0x0)
- net ads testjoin gives: "Join is OK"
What happens:
- OSX client hits a page which has required to authenticate and gets a
401 then we see a second request containing a Auth header
(Authorization: NTLM +45 characters string). But then the browser does
not stop loading.
- Windows client also does not stop loading.
I attached the relevant logs with debug level10 when requesting with
Chrome as the browser.
We assume it has something to do with the apache module as everything on
the host works as intended.
Any hints where to look for solving this issue?
When we compare this log with the log using ntlm_auth we don't see the
entered username inside the log, just the apache user! Why is that?
Greetings from Switzerland
[1] http://adldap.sourceforge.net/wiki/doku.php?id=seamless_authentication
--
Patrick Jezek | Leimeneggstrasse 25 | 8400 Winterthur
VoIP +41 52 508 24 34 | Mobile +41 79 270 22 68
http://cms.jezek.ch/blog | patrick at jezek.ch | GPG 0x883AF385
Hilf Frank im Ozean zu überleben: http://daddelbox.com/2/ftf
Mach einige Fliegen glücklich: http://daddelbox.com/2/hf
-------------- next part --------------
==> /var/log/apache2/access_log <==
172.16.11.1 - - [06/Nov/2013:11:37:18 +0100] "GET /status/auth.php HTTP/1.1" 401 1285 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9) AppleWebKit/537.71 (KHTML, like Gecko) Version/7.0 Safari/537.71"
==> /var/log/samba/log.winbindd <==
[2013/11/06 11:37:18.891565, 6] winbindd/winbindd.c:794(new_connection)
accepted socket 33
[2013/11/06 11:37:18.891855, 10] winbindd/winbindd.c:644(process_request)
process_request: request fn INTERFACE_VERSION
[2013/11/06 11:37:18.891958, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version)
[ 6412]: request interface version
[2013/11/06 11:37:18.891995, 10] winbindd/winbindd.c:740(winbind_client_response_written)
winbind_client_response_written[6412:INTERFACE_VERSION]: delivered response to client
[2013/11/06 11:37:18.892193, 10] winbindd/winbindd.c:644(process_request)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2013/11/06 11:37:18.892222, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[ 6412]: request location of privileged pipe
[2013/11/06 11:37:18.892260, 10] winbindd/winbindd.c:740(winbind_client_response_written)
winbind_client_response_written[6412:WINBINDD_PRIV_PIPE_DIR]: delivered response to client
[2013/11/06 11:37:18.892458, 6] winbindd/winbindd.c:794(new_connection)
accepted socket 42
[2013/11/06 11:37:18.892635, 6] winbindd/winbindd.c:842(winbind_client_request_read)
closing socket 33, client exited
[2013/11/06 11:37:18.892823, 10] winbindd/winbindd.c:644(process_request)
process_request: request fn DOMAIN_NAME
[2013/11/06 11:37:18.892852, 3] winbindd/winbindd_misc.c:394(winbindd_domain_name)
[ 6412]: request domain name
[2013/11/06 11:37:18.892883, 10] winbindd/winbindd.c:740(winbind_client_response_written)
winbind_client_response_written[6412:DOMAIN_NAME]: delivered response to client
[2013/11/06 11:37:19.015719, 6] winbindd/winbindd.c:794(new_connection)
accepted socket 33
[2013/11/06 11:37:19.015995, 10] winbindd/winbindd.c:644(process_request)
process_request: request fn INTERFACE_VERSION
[2013/11/06 11:37:19.016105, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version)
[ 6413]: request interface version
[2013/11/06 11:37:19.016151, 10] winbindd/winbindd.c:740(winbind_client_response_written)
winbind_client_response_written[6413:INTERFACE_VERSION]: delivered response to client
[2013/11/06 11:37:19.016365, 10] winbindd/winbindd.c:644(process_request)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2013/11/06 11:37:19.016394, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[ 6413]: request location of privileged pipe
[2013/11/06 11:37:19.016432, 10] winbindd/winbindd.c:740(winbind_client_response_written)
winbind_client_response_written[6413:WINBINDD_PRIV_PIPE_DIR]: delivered response to client
[2013/11/06 11:37:19.016612, 6] winbindd/winbindd.c:794(new_connection)
accepted socket 43
[2013/11/06 11:37:19.016793, 6] winbindd/winbindd.c:842(winbind_client_request_read)
closing socket 33, client exited
[2013/11/06 11:37:19.016975, 10] winbindd/winbindd.c:617(process_request)
process_request: Handling async request 6413:GETGROUPS
[2013/11/06 11:37:19.017004, 3] winbindd/winbindd_getgroups.c:61(winbindd_getgroups_send)
getgroups vagrant
[2013/11/06 11:37:19.017034, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'MIT'
name : *
name : 'VAGRANT'
flags : 0x00000008 (8)
[2013/11/06 11:37:19.017134, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USER (1)
sid : *
sid : S-1-5-21-1815787376-3445863923-1037607321-1131
result : NT_STATUS_OK
[2013/11/06 11:37:19.017226, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupUserGroups: struct wbint_LookupUserGroups
in: struct wbint_LookupUserGroups
sid : *
sid : S-1-5-21-1815787376-3445863923-1037607321-1131
[2013/11/06 11:37:19.017288, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupUserGroups: struct wbint_LookupUserGroups
out: struct wbint_LookupUserGroups
sids : *
sids: struct wbint_SidArray
num_sids : 0x00000001 (1)
sids: ARRAY(1)
sids : S-1-5-21-1815787376-3445863923-1037607321-513
result : NT_STATUS_OK
[2013/11/06 11:37:19.017379, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupUserAliases: struct wbint_LookupUserAliases
in: struct wbint_LookupUserAliases
sids : *
sids: struct wbint_SidArray
num_sids : 0x00000002 (2)
sids: ARRAY(2)
sids : S-1-5-21-1815787376-3445863923-1037607321-1131
sids : S-1-5-21-1815787376-3445863923-1037607321-513
==> /var/log/samba/log.wb-COM <==
[2013/11/06 11:37:19.018268, 10] winbindd/winbindd_dual.c:70(child_read_request)
Need to read 64 extra bytes
[2013/11/06 11:37:19.018311, 4] winbindd/winbindd_dual.c:1549(fork_domain_child)
child daemon request 59
[2013/11/06 11:37:19.018340, 10] winbindd/winbindd_dual.c:439(child_process_request)
child_process_request: request fn NDRCMD
[2013/11/06 11:37:19.018367, 10] winbindd/winbindd_dual_ndr.c:315(winbindd_dual_ndrcmd)
winbindd_dual_ndrcmd: Running command WBINT_LOOKUPUSERALIASES (COM)
[2013/11/06 11:37:19.018397, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupUserAliases: struct wbint_LookupUserAliases
in: struct wbint_LookupUserAliases
sids : *
sids: struct wbint_SidArray
num_sids : 0x00000002 (2)
sids: ARRAY(2)
sids : S-1-5-21-1815787376-3445863923-1037607321-1131
sids : S-1-5-21-1815787376-3445863923-1037607321-513
[2013/11/06 11:37:19.018502, 10] winbindd/winbindd_cache.c:2571(lookup_useraliases)
lookup_usergroups: [Cached] - doing backend query for info for domain COM
[2013/11/06 11:37:19.018532, 3] winbindd/winbindd_samr.c:1004(sam_lookup_useraliases)
sam_lookup_useraliases
[2013/11/06 11:37:19.018565, 5] rpc_server/rpc_ncacn_np.c:883(rpc_pipe_open_interface)
Connecting to samr pipe.
[2013/11/06 11:37:19.018595, 4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p)
Create pipe requested \samr
[2013/11/06 11:37:19.018630, 10] rpc_server/rpc_handles.c:116(init_pipe_handles)
init_pipe_handle_list: created handle list for pipe \samr
[2013/11/06 11:37:19.018656, 10] rpc_server/rpc_handles.c:133(init_pipe_handles)
init_pipe_handle_list: pipe_handles ref count = 1 for pipe \samr
[2013/11/06 11:37:19.018682, 4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p)
Created internal pipe \samr (pipes_open=0)
[2013/11/06 11:37:19.018714, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
samr_Connect2: struct samr_Connect2
in: struct samr_Connect2
system_name : NULL
access_mask : 0x02000000 (33554432)
0: SAMR_ACCESS_CONNECT_TO_SERVER
0: SAMR_ACCESS_SHUTDOWN_SERVER
0: SAMR_ACCESS_INITIALIZE_SERVER
0: SAMR_ACCESS_CREATE_DOMAIN
0: SAMR_ACCESS_ENUM_DOMAINS
0: SAMR_ACCESS_LOOKUP_DOMAIN
[2013/11/06 11:37:19.018811, 5] rpc_server/samr/srv_samr_nt.c:3932(_samr_Connect2)
_samr_Connect2: 3932
[2013/11/06 11:37:19.018834, 10] ../libcli/security/access_check.c:58(se_map_generic)
se_map_generic(): mapped mask 0xb0000000 to 0x000f003f
[2013/11/06 11:37:19.018855, 4] rpc_server/srv_access_check.c:83(access_check_object)
_samr_Connect2: ACCESS should be DENIED (requested: 0x000f003f)
but overritten by euid == sec_initial_uid()
[2013/11/06 11:37:19.018881, 4] rpc_server/srv_access_check.c:104(access_check_object)
_samr_Connect2: access GRANTED (requested: 0x000f003f, granted: 0x000f003f)
[2013/11/06 11:37:19.018901, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal)
Opened policy hnd[1] [0000] 00 00 00 00 17 00 00 00 00 00 00 00 7A 52 DF 1B ........ ....zR..
[0010] CB 18 00 00 ....
[2013/11/06 11:37:19.018941, 5] rpc_server/samr/srv_samr_nt.c:3961(_samr_Connect2)
_samr_Connect2: 3961
[2013/11/06 11:37:19.018960, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
samr_Connect2: struct samr_Connect2
out: struct samr_Connect2
connect_handle : *
connect_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000017-0000-0000-7a52-df1bcb180000
result : NT_STATUS_OK
[2013/11/06 11:37:19.019043, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
samr_OpenDomain: struct samr_OpenDomain
in: struct samr_OpenDomain
connect_handle : *
connect_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000017-0000-0000-7a52-df1bcb180000
access_mask : 0x02000000 (33554432)
0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
0: SAMR_DOMAIN_ACCESS_SET_INFO_1
0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
0: SAMR_DOMAIN_ACCESS_SET_INFO_2
0: SAMR_DOMAIN_ACCESS_CREATE_USER
0: SAMR_DOMAIN_ACCESS_CREATE_GROUP
0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS
0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
0: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
0: SAMR_DOMAIN_ACCESS_SET_INFO_3
sid : *
sid : S-1-5-21-2078274325-3117624592-1570252607
[2013/11/06 11:37:19.019225, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 17 00 00 00 00 00 00 00 7A 52 DF 1B ........ ....zR..
[0010] CB 18 00 00 ....
[2013/11/06 11:37:19.019265, 10] rpc_server/rpc_handles.c:410(_policy_handle_find)
found handle of type struct samr_connect_info
[2013/11/06 11:37:19.019285, 10] ../libcli/security/access_check.c:58(se_map_generic)
se_map_generic(): mapped mask 0xb0000000 to 0x000f07ff
[2013/11/06 11:37:19.019309, 4] rpc_server/srv_access_check.c:83(access_check_object)
_samr_OpenDomain: ACCESS should be DENIED (requested: 0x000f07ff)
but overritten by euid == sec_initial_uid()
[2013/11/06 11:37:19.019335, 4] rpc_server/srv_access_check.c:104(access_check_object)
_samr_OpenDomain: access GRANTED (requested: 0x000f07ff, granted: 0x000f07ff)
[2013/11/06 11:37:19.019355, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal)
Opened policy hnd[2] [0000] 00 00 00 00 18 00 00 00 00 00 00 00 7A 52 DF 1B ........ ....zR..
[0010] CB 18 00 00 ....
[2013/11/06 11:37:19.019394, 5] rpc_server/samr/srv_samr_nt.c:500(_samr_OpenDomain)
_samr_OpenDomain: 500
[2013/11/06 11:37:19.019413, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
samr_OpenDomain: struct samr_OpenDomain
out: struct samr_OpenDomain
domain_handle : *
domain_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000018-0000-0000-7a52-df1bcb180000
result : NT_STATUS_OK
[2013/11/06 11:37:19.019489, 10] winbindd/winbindd_rpc.c:644(rpc_lookup_useraliases)
rpc: lookup_useraliases: entering query 1 for 2 sids
[2013/11/06 11:37:19.019518, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
samr_GetAliasMembership: struct samr_GetAliasMembership
in: struct samr_GetAliasMembership
domain_handle : *
domain_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000018-0000-0000-7a52-df1bcb180000
sids : *
sids: struct lsa_SidArray
num_sids : 0x00000002 (2)
sids : *
sids: ARRAY(2)
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-21-1815787376-3445863923-1037607321-1131
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-21-1815787376-3445863923-1037607321-513
[2013/11/06 11:37:19.019679, 5] rpc_server/samr/srv_samr_nt.c:5286(_samr_GetAliasMembership)
_samr_GetAliasMembership: 5286
[2013/11/06 11:37:19.019698, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 18 00 00 00 00 00 00 00 7A 52 DF 1B ........ ....zR..
[0010] CB 18 00 00 ....
[2013/11/06 11:37:19.019736, 10] rpc_server/rpc_handles.c:410(_policy_handle_find)
found handle of type struct samr_domain_info
[2013/11/06 11:37:19.019769, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
samr_GetAliasMembership: struct samr_GetAliasMembership
out: struct samr_GetAliasMembership
rids : *
rids: struct samr_Ids
count : 0x00000000 (0)
ids : *
ids: ARRAY(0)
result : NT_STATUS_OK
[2013/11/06 11:37:19.019853, 10] winbindd/winbindd_rpc.c:695(rpc_lookup_useraliases)
rpc: rpc_lookup_useraliases: got 0 aliases in 2 queries (rangesize: 1024)
[2013/11/06 11:37:19.019879, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
samr_Close: struct samr_Close
in: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000018-0000-0000-7a52-df1bcb180000
[2013/11/06 11:37:19.019947, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 18 00 00 00 00 00 00 00 7A 52 DF 1B ........ ....zR..
[0010] CB 18 00 00 ....
[2013/11/06 11:37:19.019986, 3] rpc_server/rpc_handles.c:281(close_policy_hnd)
Closed policy
[2013/11/06 11:37:19.020005, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
samr_Close: struct samr_Close
out: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-000000000000
result : NT_STATUS_OK
[2013/11/06 11:37:19.020080, 10] rpc_server/rpc_handles.c:307(close_policy_by_pipe)
close_policy_by_pipe: deleted handle list for pipe \samr
[2013/11/06 11:37:19.020104, 10] winbindd/winbindd_cache.c:540(refresh_sequence_number)
refresh_sequence_number: COM time ok
[2013/11/06 11:37:19.020124, 10] winbindd/winbindd_cache.c:585(refresh_sequence_number)
refresh_sequence_number: COM seq number is now 1383733970
[2013/11/06 11:37:19.020158, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupUserAliases: struct wbint_LookupUserAliases
out: struct wbint_LookupUserAliases
rids : *
rids: struct wbint_RidArray
num_rids : 0x00000000 (0)
rids: ARRAY(0)
result : NT_STATUS_OK
[2013/11/06 11:37:19.020231, 4] winbindd/winbindd_dual.c:1557(fork_domain_child)
Finished processing child request 59
[2013/11/06 11:37:19.020250, 10] winbindd/winbindd_dual.c:1573(fork_domain_child)
Writing 3508 bytes to parent
==> /var/log/samba/log.winbindd <==
[2013/11/06 11:37:19.021309, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupUserAliases: struct wbint_LookupUserAliases
out: struct wbint_LookupUserAliases
rids : *
rids: struct wbint_RidArray
num_rids : 0x00000000 (0)
rids: ARRAY(0)
result : NT_STATUS_OK
[2013/11/06 11:37:19.022478, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupUserAliases: struct wbint_LookupUserAliases
in: struct wbint_LookupUserAliases
sids : *
sids: struct wbint_SidArray
num_sids : 0x00000002 (2)
sids: ARRAY(2)
sids : S-1-5-21-1815787376-3445863923-1037607321-1131
sids : S-1-5-21-1815787376-3445863923-1037607321-513
==> /var/log/samba/log.wb-BUILTIN <==
[2013/11/06 11:37:19.023799, 10] winbindd/winbindd_dual.c:70(child_read_request)
Need to read 64 extra bytes
[2013/11/06 11:37:19.023843, 4] winbindd/winbindd_dual.c:1549(fork_domain_child)
child daemon request 59
[2013/11/06 11:37:19.023866, 10] winbindd/winbindd_dual.c:439(child_process_request)
child_process_request: request fn NDRCMD
[2013/11/06 11:37:19.023889, 10] winbindd/winbindd_dual_ndr.c:315(winbindd_dual_ndrcmd)
winbindd_dual_ndrcmd: Running command WBINT_LOOKUPUSERALIASES (BUILTIN)
[2013/11/06 11:37:19.023915, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupUserAliases: struct wbint_LookupUserAliases
in: struct wbint_LookupUserAliases
sids : *
sids: struct wbint_SidArray
num_sids : 0x00000002 (2)
sids: ARRAY(2)
sids : S-1-5-21-1815787376-3445863923-1037607321-1131
sids : S-1-5-21-1815787376-3445863923-1037607321-513
[2013/11/06 11:37:19.024025, 10] winbindd/winbindd_cache.c:2571(lookup_useraliases)
lookup_usergroups: [Cached] - doing backend query for info for domain BUILTIN
[2013/11/06 11:37:19.024052, 3] winbindd/winbindd_samr.c:1004(sam_lookup_useraliases)
sam_lookup_useraliases
[2013/11/06 11:37:19.024079, 5] rpc_server/rpc_ncacn_np.c:883(rpc_pipe_open_interface)
Connecting to samr pipe.
[2013/11/06 11:37:19.024106, 4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p)
Create pipe requested \samr
[2013/11/06 11:37:19.024130, 10] rpc_server/rpc_handles.c:116(init_pipe_handles)
init_pipe_handle_list: created handle list for pipe \samr
[2013/11/06 11:37:19.024153, 10] rpc_server/rpc_handles.c:133(init_pipe_handles)
init_pipe_handle_list: pipe_handles ref count = 1 for pipe \samr
[2013/11/06 11:37:19.024177, 4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p)
Created internal pipe \samr (pipes_open=0)
[2013/11/06 11:37:19.024207, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
samr_Connect2: struct samr_Connect2
in: struct samr_Connect2
system_name : NULL
access_mask : 0x02000000 (33554432)
0: SAMR_ACCESS_CONNECT_TO_SERVER
0: SAMR_ACCESS_SHUTDOWN_SERVER
0: SAMR_ACCESS_INITIALIZE_SERVER
0: SAMR_ACCESS_CREATE_DOMAIN
0: SAMR_ACCESS_ENUM_DOMAINS
0: SAMR_ACCESS_LOOKUP_DOMAIN
[2013/11/06 11:37:19.024316, 5] rpc_server/samr/srv_samr_nt.c:3932(_samr_Connect2)
_samr_Connect2: 3932
[2013/11/06 11:37:19.024339, 10] ../libcli/security/access_check.c:58(se_map_generic)
se_map_generic(): mapped mask 0xb0000000 to 0x000f003f
[2013/11/06 11:37:19.024362, 4] rpc_server/srv_access_check.c:83(access_check_object)
_samr_Connect2: ACCESS should be DENIED (requested: 0x000f003f)
but overritten by euid == sec_initial_uid()
[2013/11/06 11:37:19.024392, 4] rpc_server/srv_access_check.c:104(access_check_object)
_samr_Connect2: access GRANTED (requested: 0x000f003f, granted: 0x000f003f)
[2013/11/06 11:37:19.024415, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal)
Opened policy hnd[1] [0000] 00 00 00 00 17 00 00 00 00 00 00 00 7A 52 DF 1B ........ ....zR..
[0010] CC 18 00 00 ....
[2013/11/06 11:37:19.024457, 5] rpc_server/samr/srv_samr_nt.c:3961(_samr_Connect2)
_samr_Connect2: 3961
[2013/11/06 11:37:19.024479, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
samr_Connect2: struct samr_Connect2
out: struct samr_Connect2
connect_handle : *
connect_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000017-0000-0000-7a52-df1bcc180000
result : NT_STATUS_OK
[2013/11/06 11:37:19.024569, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
samr_OpenDomain: struct samr_OpenDomain
in: struct samr_OpenDomain
connect_handle : *
connect_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000017-0000-0000-7a52-df1bcc180000
access_mask : 0x02000000 (33554432)
0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
0: SAMR_DOMAIN_ACCESS_SET_INFO_1
0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
0: SAMR_DOMAIN_ACCESS_SET_INFO_2
0: SAMR_DOMAIN_ACCESS_CREATE_USER
0: SAMR_DOMAIN_ACCESS_CREATE_GROUP
0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS
0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
0: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
0: SAMR_DOMAIN_ACCESS_SET_INFO_3
sid : *
sid : S-1-5-32
[2013/11/06 11:37:19.024777, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 17 00 00 00 00 00 00 00 7A 52 DF 1B ........ ....zR..
[0010] CC 18 00 00 ....
[2013/11/06 11:37:19.024819, 10] rpc_server/rpc_handles.c:410(_policy_handle_find)
found handle of type struct samr_connect_info
[2013/11/06 11:37:19.024841, 10] ../libcli/security/access_check.c:58(se_map_generic)
se_map_generic(): mapped mask 0xb0000000 to 0x000f07ff
[2013/11/06 11:37:19.024864, 4] rpc_server/srv_access_check.c:83(access_check_object)
_samr_OpenDomain: ACCESS should be DENIED (requested: 0x000f07ff)
but overritten by euid == sec_initial_uid()
[2013/11/06 11:37:19.024893, 4] rpc_server/srv_access_check.c:104(access_check_object)
_samr_OpenDomain: access GRANTED (requested: 0x000f07ff, granted: 0x000f07ff)
[2013/11/06 11:37:19.024915, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal)
Opened policy hnd[2] [0000] 00 00 00 00 18 00 00 00 00 00 00 00 7A 52 DF 1B ........ ....zR..
[0010] CC 18 00 00 ....
[2013/11/06 11:37:19.024957, 5] rpc_server/samr/srv_samr_nt.c:500(_samr_OpenDomain)
_samr_OpenDomain: 500
[2013/11/06 11:37:19.024978, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
samr_OpenDomain: struct samr_OpenDomain
out: struct samr_OpenDomain
domain_handle : *
domain_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000018-0000-0000-7a52-df1bcc180000
result : NT_STATUS_OK
[2013/11/06 11:37:19.025063, 10] winbindd/winbindd_rpc.c:644(rpc_lookup_useraliases)
rpc: lookup_useraliases: entering query 1 for 2 sids
[2013/11/06 11:37:19.025094, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
samr_GetAliasMembership: struct samr_GetAliasMembership
in: struct samr_GetAliasMembership
domain_handle : *
domain_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000018-0000-0000-7a52-df1bcc180000
sids : *
sids: struct lsa_SidArray
num_sids : 0x00000002 (2)
sids : *
sids: ARRAY(2)
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-21-1815787376-3445863923-1037607321-1131
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-21-1815787376-3445863923-1037607321-513
[2013/11/06 11:37:19.025273, 5] rpc_server/samr/srv_samr_nt.c:5286(_samr_GetAliasMembership)
_samr_GetAliasMembership: 5286
[2013/11/06 11:37:19.025295, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 18 00 00 00 00 00 00 00 7A 52 DF 1B ........ ....zR..
[0010] CC 18 00 00 ....
[2013/11/06 11:37:19.025365, 10] rpc_server/rpc_handles.c:410(_policy_handle_find)
found handle of type struct samr_domain_info
[2013/11/06 11:37:19.025401, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
samr_GetAliasMembership: struct samr_GetAliasMembership
out: struct samr_GetAliasMembership
rids : *
rids: struct samr_Ids
count : 0x00000001 (1)
ids : *
ids: ARRAY(1)
ids : 0x00000221 (545)
result : NT_STATUS_OK
[2013/11/06 11:37:19.025508, 10] winbindd/winbindd_rpc.c:695(rpc_lookup_useraliases)
rpc: rpc_lookup_useraliases: got 1 aliases in 2 queries (rangesize: 1024)
[2013/11/06 11:37:19.025537, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
samr_Close: struct samr_Close
in: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000018-0000-0000-7a52-df1bcc180000
[2013/11/06 11:37:19.025609, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 18 00 00 00 00 00 00 00 7A 52 DF 1B ........ ....zR..
[0010] CC 18 00 00 ....
[2013/11/06 11:37:19.025651, 3] rpc_server/rpc_handles.c:281(close_policy_hnd)
Closed policy
[2013/11/06 11:37:19.025672, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
samr_Close: struct samr_Close
out: struct samr_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-000000000000
result : NT_STATUS_OK
[2013/11/06 11:37:19.025756, 10] rpc_server/rpc_handles.c:307(close_policy_by_pipe)
close_policy_by_pipe: deleted handle list for pipe \samr
[2013/11/06 11:37:19.025782, 10] winbindd/winbindd_cache.c:540(refresh_sequence_number)
refresh_sequence_number: BUILTIN time ok
[2013/11/06 11:37:19.025813, 10] winbindd/winbindd_cache.c:585(refresh_sequence_number)
refresh_sequence_number: BUILTIN seq number is now 1383733970
[2013/11/06 11:37:19.025841, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupUserAliases: struct wbint_LookupUserAliases
out: struct wbint_LookupUserAliases
rids : *
rids: struct wbint_RidArray
num_rids : 0x00000001 (1)
rids: ARRAY(1)
rids : 0x00000221 (545)
result : NT_STATUS_OK
[2013/11/06 11:37:19.025841, 4] winbindd/winbindd_dual.c:1557(fork_domain_child)
Finished processing child request 59
[2013/11/06 11:37:19.025841, 10] winbindd/winbindd_dual.c:1573(fork_domain_child)
Writing 3512 bytes to parent
==> /var/log/samba/log.winbindd <==
[2013/11/06 11:37:19.026418, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupUserAliases: struct wbint_LookupUserAliases
out: struct wbint_LookupUserAliases
rids : *
rids: struct wbint_RidArray
num_rids : 0x00000001 (1)
rids: ARRAY(1)
rids : 0x00000221 (545)
result : NT_STATUS_OK
[2013/11/06 11:37:19.027959, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send)
idmap_cache_find_sid2gid found 10006
[2013/11/06 11:37:19.028266, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send)
idmap_cache_find_sid2gid found 10001
[2013/11/06 11:37:19.028544, 10] winbindd/winbindd.c:679(wb_request_done)
wb_request_done[6413:GETGROUPS]: NT_STATUS_OK
[2013/11/06 11:37:19.028947, 10] winbindd/winbindd.c:740(winbind_client_response_written)
winbind_client_response_written[6413:GETGROUPS]: delivered response to client
More information about the samba
mailing list