Manually creating groupOfNames breaks MMC

Adam Tauno Williams awilliam at whitemice.org
Wed Dec 1 14:11:42 MST 2010


Should it be possible to create a "generic" groupOfNames object via
ADSIEdit in Active Directory (Samba 4)?  

We have some applications that use their own groups, these aren't and
don't correspond to domain groups, so I created an ou like we have in
our OpenLDAP Dit and added some groupOfNames objects via the ADSIEdit
snap-ip in MMC.  That seemed to work well.

Then I went to the "Active Directory Users and Groups" snap-in and MMC
crashed.  Things seemed generally broken.  Looking in the samba.log I
see -
[Wed Dec  1 15:05:16 2010 EST,
0 ../rpc_server/drsuapi/writespn.c:230:dcesrv_drsuapi_DsWriteAccountSpn()]
Failed to modify SPNs on
CN=PC02790,CN=Computers,DC=ad,DC=mormail,DC=com: error in module acl:
insufficient access rights (50)
[Wed Dec  1 15:53:22 2010 EST,
0 ../auth/sam.c:331:authsam_expand_nested_groups()]
../auth/sam.c:331: when parsing DN
<GUID=a0c6d073-0855-48cb-a278-fc37b26b6a46>;CN=cis,OU=Groups,OU=XMPP,OU=MI Services,DC=ad,DC=mormail,DC=com we failed to find our SID component, so we cannot calculate the group token: NT_STATUS_OBJECT_NAME_NOT_FOUND
[Wed Dec  1 15:57:21 2010 EST,
0 ../auth/sam.c:331:authsam_expand_nested_groups()]
../auth/sam.c:331: when parsing DN
<GUID=a0c6d073-0855-48cb-a278-fc37b26b6a46>;CN=cis,OU=Groups,OU=XMPP,OU=MI Services,DC=ad,DC=mormail,DC=com we failed to find our SID component, so we cannot calculate the group token: NT_STATUS_OBJECT_NAME_NOT_FOUND
[Wed Dec  1 16:01:11 2010 EST,
0 ../rpc_server/drsuapi/writespn.c:230:dcesrv_drsuapi_DsWriteAccountSpn()]
Failed to modify SPNs on
CN=PC02790,CN=Computers,DC=ad,DC=mormail,DC=com: error in module acl:
insufficient access rights (50)

It looks like my newly created objects broke things.  Would this work on
a true AD server?



More information about the samba-technical mailing list