[Samba] Samba 3.0,
ldapsam: joining the domain results in "Access Denied"
paul.simons at esca.com
paul.simons at esca.com
Thu Aug 21 20:22:24 GMT 2003
athena:/home/paul# smbd -V
Version 3.0.0beta2-1 for Debian
paul at athena:~$ testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = SIMONET
server string = %h server (Samba %v)
obey pam restrictions = Yes
passdb backend = ldapsam:ldap://ldap.thesimonet.org, tdbsam, guest
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
unix password sync = Yes
log level = 3 passdb:100 auth:10 winbind:2
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
logon script = logon.cmd
logon path = \\%N\profiles\%u
logon drive = H:
logon home = \\%N\%u\winhome
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap suffix = dc=thesimonet,dc=org
ldap machine suffix = ou=Systems,dc=thesimonet,dc=org
ldap user suffix = ou=People
ldap group suffix = dc=thesimonet,dc=org
ldap idmap suffix = dc=thesimonet,dc=org
ldap admin dn = "cn=sadmin,dc=thesimonet,dc=org"
ldap ssl = no
ldap passwd sync = Yes
ldap trust ids = Yes
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
invalid users = root
root preexec = /home/samba/netlogon/ntlogon --user=%U --os=%m
root postexec = rm /home/samba/netlogon/%U.bat
[homes]
comment = Home Directories
read only = No
create mask = 0700
directory mask = 0700
browseable = No
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = Yes
share modes = No
(A quick note: "ldap machine suffix = ou=Systems,dc=thesimonet,dc=org"
should just be "ldap machine suffix = ou=Systems", but "ldap suffix" is
not getting added when the machine is registered via "smbpasswd -a -m
bacuss". This results in a search for "uid=bacuss,ou=Systems" which the
ldap server tries to refer.)
(Another note: I am testing this with one server (athena) and one client
(bacuss). So I created the machine account by hand. So there are no
add/delete * scripts.)
# bacuss$, Systems, thesimonet.org
dn: uid=bacuss$,ou=Systems,dc=thesimonet,dc=org
uid: bacuss$
sambaSID: S-1-5-21-3722257784-14983886-1453651345-21010
sambaPrimaryGroupSID: S-1-5-21-3722257784-14983886-1453651345-513
sambaPwdCanChange: 1061225321
sambaPwdMustChange: 1063039721
sambaLMPassword: 437E466A847F7E44AAD3B435B51404EE
sambaNTPassword: D8DD573C9AB2DC4235BEE4A34F0B40C7
sambaPwdLastSet: 1061225321
sambaAcctFlags: [W ]
objectClass: sambaSamAccount
objectClass: account
The whole reason for this exercise is to establish a Single Sign On
environment. I have the Linux side working well using PAM/NSS_LDAP. It
seems that the relevant part of the log is as follows:
api_rpcTNP: samr op 0x7 - api_rpcTNP: rpc command: SAMR_OPEN_DOMAIN
[2003/08/20 22:29:32, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
Found policy hnd[0] [000] 00 00 00 00 04 00 00 00 00 00 00 00 BC 58 44
3F ........ .....XD?
[010] F9 21 00 00 .!..
[2003/08/20 22:29:32, 3] lib/util_seaccess.c:se_access_check(267)
[2003/08/20 22:29:32, 3] lib/util_seaccess.c:se_access_check(268)
se_access_check: user sid is S-1-5-21-3722257784-14983886-1453651345-500
se_access_check: also S-1-5-21-3722257784-14983886-1453651345-3001
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-5-21-3722257784-14983886-1453651345-512
se_access_check: also S-1-5-21-3722257784-14983886-1453651345-513
[2003/08/20 22:29:32, 2]
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
_samr_open_domain: ACCESS DENIED (requested: 0x00000211)
[2003/08/20 22:29:32, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(544)
free_pipe_context: destroying talloc pool of size 732
[2003/08/20 22:29:32, 3] smbd/process.c:process_smb(882)
Transaction 31 of length 140
[2003/08/20 22:29:32, 3] smbd/process.c:switch_message(676)
switch message SMBtrans (pid 8697)
[2003/08/20 22:29:32, 4] smbd/uid.c:change_to_user(122)
change_to_user: Skipping user change - already user
[2003/08/20 22:29:32, 3] smbd/ipc.c:reply_trans(512)
trans <\PIPE\> data=52 params=0 setup=2
[2003/08/20 22:29:32, 3] smbd/ipc.c:named_pipe(326)
named pipe command on <> name
[2003/08/20 22:29:32, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1149)
search for pipe pnum=7148
[2003/08/20 22:29:32, 3] smbd/ipc.c:api_fd_reply(288)
Got API command 0x26 on pipe "samr" (pnum 7148)free_pipe_context:
destroying talloc pool of size 0
[2003/08/20 22:29:32, 3] rpc_server/srv_pipe.c:api_pipe_request(1411)
Doing \PIPE\samr
[2003/08/20 22:29:32, 4] rpc_server/srv_pipe.c:api_rpcTNP(1457)
api_rpcTNP: samr op 0x6 - api_rpcTNP: rpc command: SAMR_ENUM_DOMAINS
[2003/08/20 22:29:32, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
Found policy hnd[0] [000] 00 00 00 00 04 00 00 00 00 00 00 00 BC 58 44
3F ........ .....XD?
[010] F9 21 00 00 .!..
[2003/08/20 22:29:32, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(544)
free_pipe_context: destroying talloc pool of size 1080
[2003/08/20 22:29:32, 3] smbd/process.c:process_smb(882)
Transaction 32 of length 166
[2003/08/20 22:29:32, 3] smbd/process.c:switch_message(676)
switch message SMBtrans (pid 8697)
[2003/08/20 22:29:32, 4] smbd/uid.c:change_to_user(122)
change_to_user: Skipping user change - already user
[2003/08/20 22:29:32, 3] smbd/ipc.c:reply_trans(512)
trans <\PIPE\> data=78 params=0 setup=2
[2003/08/20 22:29:32, 3] smbd/ipc.c:named_pipe(326)
named pipe command on <> name
[2003/08/20 22:29:32, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1149)
search for pipe pnum=7148
[2003/08/20 22:29:32, 3] smbd/ipc.c:api_fd_reply(288)
Got API command 0x26 on pipe "samr" (pnum 7148)free_pipe_context:
destroying talloc pool of size 0
[2003/08/20 22:29:32, 3] rpc_server/srv_pipe.c:api_pipe_request(1411)
Doing \PIPE\samr
[2003/08/20 22:29:32, 4] rpc_server/srv_pipe.c:api_rpcTNP(1457)
api_rpcTNP: samr op 0x5 - api_rpcTNP: rpc command: SAMR_LOOKUP_DOMAIN
[2003/08/20 22:29:32, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
Found policy hnd[0] [000] 00 00 00 00 04 00 00 00 00 00 00 00 BC 58 44
3F ........ .....XD?
[010] F9 21 00 00 .!..
[2003/08/20 22:29:32, 2]
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2513)
Returning domain sid for domain SIMONET ->
S-1-5-21-3722257784-14983886-1453651345
[2003/08/20 22:29:32, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(544)
free_pipe_context: destroying talloc pool of size 14
[2003/08/20 22:29:32, 3] smbd/process.c:process_smb(882)
Transaction 33 of length 164
[2003/08/20 22:29:32, 3] smbd/process.c:switch_message(676)
switch message SMBtrans (pid 8697)
[2003/08/20 22:29:32, 4] smbd/uid.c:change_to_user(122)
change_to_user: Skipping user change - already user
[2003/08/20 22:29:32, 3] smbd/ipc.c:reply_trans(512)
trans <\PIPE\> data=76 params=0 setup=2
[2003/08/20 22:29:32, 3] smbd/ipc.c:named_pipe(326)
named pipe command on <> name
[2003/08/20 22:29:32, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1149)
search for pipe pnum=7148
[2003/08/20 22:29:32, 3] smbd/ipc.c:api_fd_reply(288)
Got API command 0x26 on pipe "samr" (pnum 7148)free_pipe_context:
destroying talloc pool of size 0
[2003/08/20 22:29:32, 3] rpc_server/srv_pipe.c:api_pipe_request(1411)
Doing \PIPE\samr
[2003/08/20 22:29:32, 4] rpc_server/srv_pipe.c:api_rpcTNP(1457)
api_rpcTNP: samr op 0x7 - api_rpcTNP: rpc command: SAMR_OPEN_DOMAIN
[2003/08/20 22:29:32, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
Found policy hnd[0] [000] 00 00 00 00 04 00 00 00 00 00 00 00 BC 58 44
3F ........ .....XD?
[010] F9 21 00 00 .!..
[2003/08/20 22:29:32, 3] lib/util_seaccess.c:se_access_check(267)
[2003/08/20 22:29:32, 3] lib/util_seaccess.c:se_access_check(268)
se_access_check: user sid is S-1-5-21-3722257784-14983886-1453651345-500
se_access_check: also S-1-5-21-3722257784-14983886-1453651345-3001
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-5-21-3722257784-14983886-1453651345-512
se_access_check: also S-1-5-21-3722257784-14983886-1453651345-513
[2003/08/20 22:29:32, 4] rpc_server/srv_lsa_hnd.c:create_policy_hnd(142)
Opened policy hnd[3] [000] 00 00 00 00 05 00 00 00 00 00 00 00 BC 58 44
3F ........ .....XD?
[010] F9 21 00 00 .!..
[2003/08/20 22:29:32, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(544)
free_pipe_context: destroying talloc pool of size 732
[2003/08/20 22:29:32, 3] smbd/process.c:process_smb(882)
Transaction 34 of length 176
[2003/08/20 22:29:32, 3] smbd/process.c:switch_message(676)
switch message SMBtrans (pid 8697)
[2003/08/20 22:29:32, 4] smbd/uid.c:change_to_user(122)
change_to_user: Skipping user change - already user
[2003/08/20 22:29:32, 3] smbd/ipc.c:reply_trans(512)
trans <\PIPE\> data=88 params=0 setup=2
[2003/08/20 22:29:32, 3] smbd/ipc.c:named_pipe(326)
named pipe command on <> name
[2003/08/20 22:29:32, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1149)
search for pipe pnum=7148
[2003/08/20 22:29:32, 3] smbd/ipc.c:api_fd_reply(288)
Got API command 0x26 on pipe "samr" (pnum 7148)free_pipe_context:
destroying talloc pool of size 0
[2003/08/20 22:29:32, 3] rpc_server/srv_pipe.c:api_pipe_request(1411)
Doing \PIPE\samr
[2003/08/20 22:29:32, 4] rpc_server/srv_pipe.c:api_rpcTNP(1457)
api_rpcTNP: samr op 0x32 - api_rpcTNP: rpc command: SAMR_CREATE_USER
[2003/08/20 22:29:32, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 BC 58 44
3F ........ .....XD?
[010] F9 21 00 00 .!..
[2003/08/20 22:29:32, 2]
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
_samr_create_user: ACCESS DENIED (granted: 0x00000201; required:
0x00000010)
I have avoided using the root account because the Debian distro
discourages putting system accounts into LDAP because Debian tweaks them
on occasion (Which brings up the whole issue of account maintenance when
not using files). I created an account:
# sadmin, People, thesimonet.org
dn: uid=sadmin,ou=People,dc=thesimonet,dc=org
mail: sadmin at thesimonet.org
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
shadowLastChange: 12281
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/false
uidNumber: 106
homeDirectory: /home/sadmin
sambaPrimaryGroupSID: S-1-5-21-3722257784-14983886-1453651345-132069
displayName: sadmin
sambaPwdCanChange: 1061095010
sambaPwdMustChange: 1062909410
sambaLMPassword: CD348F99AFB68E0F276E9808ECE6D2AD
sambaNTPassword: 5612B876FA7C7E54FF7AF621843F55CE
sambaPwdLastSet: 1061095010
sambaAcctFlags: [U ]
userPassword:: e1NNRDV9aXdoc05CU3Q3YzJMNmN1K0ZpWW12Y0gyTnkwPQ==
gidNumber: 0
uid: sadmin
cn: sadmin
sn: sadmin
sambaSID: S-1-5-21-3722257784-14983886-1453651345-1212
I also have used an account called paul (which exists on both the server
and the client) (sadmin only exists on the server). I have changed the
RID to 500 on each account during testing (currently it is with paul. The
log above was generated will using the paul account with a RID of 500.)
Could it be that the above error was generated because there is no add
machine script? And I'm back to that whole issue of LDAP account
maintenance.
After having read much, I am really confused about the account that can be
used to administer the domain.
Does it have to be "root"? Does it have to exist on both machines? If it
doesn't, do you have to map an administrator account on the client to
"root" on the server? I think this is all pre 3.0.
With 3.0, does a RID of 500 mean that account is the domain administrator?
Thank you for a truly phenomenal example of Open Source software.
--
Paul Simons
Bellevue, WA
ALSTOM's T&D Energy Automation & Information Business
CONFIDENTIALITY: This e-mail and any attachments are confidential and may
be privileged.
If you are not a named recipient, please notify the sender immediately
and do not disclose the
contents to another person, use it for any purpose or store or copy the
information in any medium.
More information about the samba
mailing list