Windows API's against a Samba DC (NT4)

Fri Oct 3 15:43:39 GMT 2003

I am working on some code on the windows side of things for transparent management of users/groups etc on a domain (currently only NT4 not AD).  In doing so, I would like to have it work against a samba pdc as well, but have run into an interesting problem. 

I call the Platform SDK/Windows API function LogonUser (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/logonuser.asp) to try and get a security handle for an administrative account on the domain (the hUser token parameter).  This works against an NT4 server, but does not seem to work against a samba pdc.  The function returns the system error code 1314 (full list here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/system_error_codes.asp) which indicates "A required privilege is not held by the client. ERROR_PRIVILEGE_NOT_HELD".  Which of course led me to believe it was some kind of priveledges problem, however I am testing the call with a user (in this case root) who exists on the pdc, whom I used to add the windows 2000 machine to the domain, and whom is in the "domain admin group" setting in smb.conf.  Have I missed a setting somewhere? Should this function work against a samba pdc?

I have bumped the debug level (with smbcontrol) up to 10 but I don't see anything showing up in the logs - but this could be my own ignorance.  This is samba 2.2.8a as well as 3.0 (i have tried with both, using the same conf file) on a stock redhat 9 system.  Let me know if there is info I haven't provided that might help... 

Thanks in advance,
Nate Yocom
nate.yocom at xpasystems.com

My smb.conf file:
=================

[global]
workgroup = sambadc
netbios name = sambadc_name

domain admin group = @root @admins
server string = The samba DC

time server = yes
security = user

encrypt passwords = yes
domain logons = yes

log file = /var/log/samba/log.%m

max log size = 50
interfaces = eth* lo
bind interfaces only = yes

os level = 64
preferred master = yes
local master = yes
domain master = yes

add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u

logon drive = H:
logon path = \\%L\profiles\%U
logon script = netlogon.bat ; logon script, location defined in [NETLOGON]

socket options = TCP_NODELAY, IPTOS_LOWDELAY, SO_KEEPALIVE, SO_SNDBUF=14596, SO_RCVBUF=14596

preserve case = yes
short preserve case = yes
case sensitive = no

keep alive = 30

unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *Enter*new*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *passwd: *all*authentication*tokens*updated*successfully*

[profiles]
comment = users' profile directories
path = /home/samba/profiles
read only = no
browseable = no
create mask = 0600 
directory mask = 0700 

[homes]
volume = HOME
comment = home directories
read only = no
browseable = no
public = no
create mode = 0750

[shared]
comment = shared space for everyone
path = /home/workgroup/shared
read only = no
browseable = yes
force create mode = 3770
force directory mode = 3770

[NETLOGON]
comment = The domain logon service
path = /home/netlogon
read only = yes
browseable = no
write list = @admins