Manually creating groupOfNames breaks MMC

Matthias Dieter Wallnöfer mdw at samba.org
Thu Dec 2 08:51:54 MST 2010


Nice catch. A short patch which changes the behaviour at 
../auth/sam.c:331 was developed by me, tested and compared against 
Windows. This one simply ignores entries with no SID (as Windows does) 
and returns NT_STATUS_OK. It should soon be landing in GIT.

Matthias

Matthias Dieter Wallnöfer wrote:
> Well, this should work - we've simply to ignore groups without SIDs.
>
> Matthias
>
> Adam Tauno Williams wrote:
>> Should it be possible to create a "generic" groupOfNames object via
>> ADSIEdit in Active Directory (Samba 4)?
>>
>> We have some applications that use their own groups, these aren't and
>> don't correspond to domain groups, so I created an ou like we have in
>> our OpenLDAP Dit and added some groupOfNames objects via the ADSIEdit
>> snap-ip in MMC.  That seemed to work well.
>>
>> Then I went to the "Active Directory Users and Groups" snap-in and MMC
>> crashed.  Things seemed generally broken.  Looking in the samba.log I
>> see -
>> [Wed Dec  1 15:05:16 2010 EST,
>> 0 
>> ../rpc_server/drsuapi/writespn.c:230:dcesrv_drsuapi_DsWriteAccountSpn()]
>> Failed to modify SPNs on
>> CN=PC02790,CN=Computers,DC=ad,DC=mormail,DC=com: error in module acl:
>> insufficient access rights (50)
>> [Wed Dec  1 15:53:22 2010 EST,
>> 0 ../auth/sam.c:331:authsam_expand_nested_groups()]
>> ../auth/sam.c:331: when parsing DN
>> <GUID=a0c6d073-0855-48cb-a278-fc37b26b6a46>;CN=cis,OU=Groups,OU=XMPP,OU=MI 
>> Services,DC=ad,DC=mormail,DC=com we failed to find our SID component, 
>> so we cannot calculate the group token: NT_STATUS_OBJECT_NAME_NOT_FOUND
>> [Wed Dec  1 15:57:21 2010 EST,
>> 0 ../auth/sam.c:331:authsam_expand_nested_groups()]
>> ../auth/sam.c:331: when parsing DN
>> <GUID=a0c6d073-0855-48cb-a278-fc37b26b6a46>;CN=cis,OU=Groups,OU=XMPP,OU=MI 
>> Services,DC=ad,DC=mormail,DC=com we failed to find our SID component, 
>> so we cannot calculate the group token: NT_STATUS_OBJECT_NAME_NOT_FOUND
>> [Wed Dec  1 16:01:11 2010 EST,
>> 0 
>> ../rpc_server/drsuapi/writespn.c:230:dcesrv_drsuapi_DsWriteAccountSpn()]
>> Failed to modify SPNs on
>> CN=PC02790,CN=Computers,DC=ad,DC=mormail,DC=com: error in module acl:
>> insufficient access rights (50)
>>
>> It looks like my newly created objects broke things.  Would this work on
>> a true AD server?
>>
>>
>
>



More information about the samba-technical mailing list