[Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED
Duncan Brannen
dbb at st-andrews.ac.uk
Tue Aug 26 08:02:08 GMT 2008
John H Terpstra wrote:
> On Monday 25 August 2008 08:56:23 Duncan Brannen wrote:
>
>> Hi All,
>> I'm trying to add a user to a group using
>>
>> /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password
>>
>> The user is added to the group as far as I can tell but the command
>> returns NT_STATUS_ACCESS_DENIED
>>
>> This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both
>> configured to lookup users and groups in LDAP.
>>
>> /usr/local/samba/bin/net rpc group members room11 -Uroot%password
>> CROOMTEST\dunk
>>
>> Trying to remove the user from the group returns
>> NT_STATUS_MEMBER_NOT_IN_GROUP and the user
>> is not removed from the group in LDAP (running smbldap-groupmod manually
>> removes the user from LDAP)
>>
>> In smb.conf, I have
>> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
>> delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
>> "%g"
>>
>> With log level set to 10 I see the following for the add that may or may
>> not be relevant.
>>
>> Should the access check granted and required values be equal?
>>
>> [2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297)
>> api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER
>> [2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323)
>> api_rpc_cmds[22].fn == 200be4
>> samr_AddGroupMember: struct samr_AddGroupMember
>> in: struct samr_AddGroupMember
>> group_handle : *
>> group_handle: struct policy_handle
>> handle_type : 0x00000000 (0)
>> uuid :
>> 05000000-0000-0000-b248-b49e90510000
>> rid : 0x00000bb8 (3000)
>> flags : 0x00000005 (5)
>> [2008/08/25 12:59:48, 4]
>> rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168)
>> Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48
>> B4 9E ........ .....H..
>> [010] 90 51 00 00 .Q..
>> [2008/08/25 12:59:48, 5]
>> rpc_server/srv_samr_nt.c:access_check_samr_function(227)
>> _samr_AddGroupMember: access check ((granted: 00000f001f; required:
>> 0000000004)
>> [2008/08/25 12:59:48, 10]
>> rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651)
>> sid is S-1-5-21-440367617-1876916578-3462541782-3003
>> [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132)
>> get_domain_group_from_sid
>>
>> ...
>>
>> [2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352)
>> smb_add_user_group: Running the command
>> `/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"' gave 0
>> [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122)
>> sys_getgrouplist: user [dunk]
>> [2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224)
>> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>> ...
>> [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170)
>> LEGACY: gid 512 -> sid S-1-5-21-440367617-1876916578-3462541782-512
>> samr_AddGroupMember: struct samr_AddGroupMember
>> out: struct samr_AddGroupMember
>> result : NT_STATUS_ACCESS_DENIED
>>
>> For delmem I again get the same access check granted value
>> _samr_DeleteGroupMember: access check ((granted: 00000f001f;
>> required: 0000000008)
>> then
>> Get_Pwnam_internals did find user [dunk]!
>> [2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
>> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213)
>> LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 -> uid 1000
>> samr_DeleteGroupMember: struct samr_DeleteGroupMember
>> out: struct samr_DeleteGroupMember
>> result : NT_STATUS_MEMBER_NOT_IN_GROUP
>>
>>
>> Any thoughts or pointers as to where I should be looking?
>>
>
> Have you tried to execute this script manually?
>
> Example:
> smbldap-useradd -G new_group user_name
>
> If that works, check that you gave Samba permission to update the LDAP
> directory. Did you execute the following?:
> smbpasswd -w LDAP_Secret_Password
>
> also, check that the user you are using to do this, and/or the group that user
> belongs to, has the rights and privileges needed to do this:
> net rpc rights list accounts -Uroot%password
>
> - John T.
>
I haven't tried that script as I was trying to add an existing user to a
current group, so samba calls
/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"
The script does work and adds the user to the group in LDAP, the samba
logs show the script returning 0
but the ACCESS_DENIED message still occurs, so I was wondering if
something else should be happening
and it's broken in a way that I've not noticed yet.
net rpc rights list accounts ... returned
CROOMTEST\Domain Admins
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
but bin/net rpc rights list root .. return nothing so I explicitly added
the rights to root as well but
still get the same error.
If I use useradd -G , the user is added to the supplementary group with
no error message. I've noticed
that unless I use -a to make them a windows user, I get an
NT_STATUS_NONE_MAPPED error,
if I use useradd -m -a -G ... then the user is added to the correct
supplementary groups and I can add
more groups using ../net rpc group addmem but with the
NT_STATUS_ACCESS_DENIED error message.
Given this, there seems to be no difference in the outcome, whether I
see the DENIED message or not,
the user is still added into the LDAP group. I'm assuming here that
there are no local databases used
for group information when using LDAP for both samba and OS?
Thanks,
Duncan
--
The University of St Andrews is a charity registered in Scotland : No SC013532
More information about the samba
mailing list