Manually creating groupOfNames breaks MMC

Adam Tauno Williams awilliam at whitemice.org
Thu Dec 2 13:46:57 MST 2010


On Thu, 2010-12-02 at 16:51 +0100, Matthias Dieter Wallnöfer wrote: 
> Nice catch. A short patch which changes the behaviour at 
> ../auth/sam.c:331 was developed by me, tested and compared against 
> Windows. This one simply ignores entries with no SID (as Windows does) 
> and returns NT_STATUS_OK. It should soon be landing in GIT.

I did a git pull and rebuilt and that issue seems to be resolved.

> > Adam Tauno Williams wrote:
> >> Should it be possible to create a "generic" groupOfNames object via
> >> ADSIEdit in Active Directory (Samba 4)?
> >>
> >> We have some applications that use their own groups, these aren't and
> >> don't correspond to domain groups, so I created an ou like we have in
> >> our OpenLDAP Dit and added some groupOfNames objects via the ADSIEdit
> >> snap-ip in MMC.  That seemed to work well.
> >>
> >> Then I went to the "Active Directory Users and Groups" snap-in and MMC
> >> crashed.  Things seemed generally broken.  Looking in the samba.log I
> >> see -
> >> [Wed Dec  1 15:05:16 2010 EST,
> >> 0 
> >> ../rpc_server/drsuapi/writespn.c:230:dcesrv_drsuapi_DsWriteAccountSpn()]
> >> Failed to modify SPNs on
> >> CN=PC02790,CN=Computers,DC=ad,DC=mormail,DC=com: error in module acl:
> >> insufficient access rights (50)
> >> [Wed Dec  1 15:53:22 2010 EST,
> >> 0 ../auth/sam.c:331:authsam_expand_nested_groups()]
> >> ../auth/sam.c:331: when parsing DN
> >> <GUID=a0c6d073-0855-48cb-a278-fc37b26b6a46>;CN=cis,OU=Groups,OU=XMPP,OU=MI 
> >> Services,DC=ad,DC=mormail,DC=com we failed to find our SID component, 
> >> so we cannot calculate the group token: NT_STATUS_OBJECT_NAME_NOT_FOUND
> >> [Wed Dec  1 15:57:21 2010 EST,
> >> 0 ../auth/sam.c:331:authsam_expand_nested_groups()]
> >> ../auth/sam.c:331: when parsing DN
> >> <GUID=a0c6d073-0855-48cb-a278-fc37b26b6a46>;CN=cis,OU=Groups,OU=XMPP,OU=MI 
> >> Services,DC=ad,DC=mormail,DC=com we failed to find our SID component, 
> >> so we cannot calculate the group token: NT_STATUS_OBJECT_NAME_NOT_FOUND
> >> [Wed Dec  1 16:01:11 2010 EST,
> >> 0 
> >> ../rpc_server/drsuapi/writespn.c:230:dcesrv_drsuapi_DsWriteAccountSpn()]
> >> Failed to modify SPNs on
> >> CN=PC02790,CN=Computers,DC=ad,DC=mormail,DC=com: error in module acl:
> >> insufficient access rights (50)
> >>
> >> It looks like my newly created objects broke things.  Would this work on
> >> a true AD server?
> >>
> >>
> >
> >
> 




More information about the samba-technical mailing list