[Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED

John H Terpstra jht at samba.org
Mon Aug 25 14:18:41 GMT 2008


On Monday 25 August 2008 08:56:23 Duncan Brannen wrote:
> Hi All,
>           I'm trying to add a user to a group using
>
> /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password
>
> The user is added to the group as far as I can tell but the command
> returns NT_STATUS_ACCESS_DENIED
>
> This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both
> configured to lookup users and groups in LDAP.
>
> /usr/local/samba/bin/net rpc group members room11 -Uroot%password
> CROOMTEST\dunk
>
> Trying to remove the user from the group returns
> NT_STATUS_MEMBER_NOT_IN_GROUP and the user
> is not removed from the group in LDAP (running smbldap-groupmod manually
> removes the user from LDAP)
>
> In smb.conf, I have
> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
> "%g"
>
> With log level set to 10 I see the following for the add that may or may
> not be relevant.
>
> Should the access check granted and required values be equal?
>
> [2008/08/25 12:59:48,  4] rpc_server/srv_pipe.c:api_rpcTNP(2297)
>   api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER
> [2008/08/25 12:59:48,  6] rpc_server/srv_pipe.c:api_rpcTNP(2323)
>   api_rpc_cmds[22].fn == 200be4
>       samr_AddGroupMember: struct samr_AddGroupMember
>           in: struct samr_AddGroupMember
>               group_handle             : *
>                   group_handle: struct policy_handle
>                       handle_type              : 0x00000000 (0)
>                       uuid                     :
> 05000000-0000-0000-b248-b49e90510000
>               rid                      : 0x00000bb8 (3000)
>               flags                    : 0x00000005 (5)
> [2008/08/25 12:59:48,  4]
> rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168)
>   Found policy hnd[0] [000] 00 00 00 00 05 00 00 00  00 00 00 00 B2 48
> B4 9E  ........ .....H..
>   [010] 90 51 00 00                                       .Q..
> [2008/08/25 12:59:48,  5]
> rpc_server/srv_samr_nt.c:access_check_samr_function(227)
>   _samr_AddGroupMember: access check ((granted: 00000f001f;  required:
> 0000000004)
> [2008/08/25 12:59:48, 10]
> rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651)
>   sid is S-1-5-21-440367617-1876916578-3462541782-3003
> [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132)
>   get_domain_group_from_sid
>
> ...
>
> [2008/08/25 12:59:50,  3] groupdb/mapping.c:smb_add_user_group(352)
>   smb_add_user_group: Running the command
> `/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"' gave 0
> [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122)
>   sys_getgrouplist: user [dunk]
> [2008/08/25 12:59:50,  3] smbd/sec_ctx.c:push_sec_ctx(224)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> ...
> [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170)
>   LEGACY: gid 512 -> sid S-1-5-21-440367617-1876916578-3462541782-512
>       samr_AddGroupMember: struct samr_AddGroupMember
>           out: struct samr_AddGroupMember
>               result                   : NT_STATUS_ACCESS_DENIED
>
> For delmem I again get the same access check granted value
>   _samr_DeleteGroupMember: access check ((granted: 00000f001f;
> required: 0000000008)
> then
>   Get_Pwnam_internals did find user [dunk]!
> [2008/08/25 14:41:10,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213)
>   LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 -> uid 1000
>       samr_DeleteGroupMember: struct samr_DeleteGroupMember
>           out: struct samr_DeleteGroupMember
>               result                   : NT_STATUS_MEMBER_NOT_IN_GROUP
>
>
> Any thoughts or pointers as to where I should be looking?

Have you tried to execute this script manually?

Example:
smbldap-useradd -G new_group user_name

If that works, check that you gave Samba permission to update the LDAP 
directory.  Did you execute the following?:
smbpasswd -w LDAP_Secret_Password

also, check that the user you are using to do this, and/or the group that user 
belongs to,  has the rights and privileges needed to do this:
net rpc rights list accounts -Uroot%password

- John T.
-- 
John H Terpstra

"Don't do as I do; Show me better!" - Anonymous.


More information about the samba mailing list