insufficient access rights

Nadezhda Ivanova nivanova at samba.org
Wed Mar 17 07:04:55 MDT 2010


Hi Jerry,
Thanks for the reference. I also think Matthieu is right, but it's worth
checking this issue out. The thing is, CARs and validated rights should
checked by the system on specific occasions, usually not in the context of
the acl module. Information about when a secific CAR or VW is needed is
dispersed in the docs, and is a new addition, so we will be adding these
checks as we discover they are needed. I am currently in the process of
researching all known CAR and VW checks, when these rights are assigned,
etc. I am afraid there is an overwhelming amount of use cases here, so
reports like this one will be popping up for a while. Your suggestion to
check the delegate control is very helpful, thanks!

Regards,
Nadya

On Wed, Mar 17, 2010 at 2:52 PM, Gerald Carter <jerry at plainjoe.org> wrote:

> Nadezhda Ivanova wrote:
>
> > I can't say without examining the SD of the machine
> > object. I'll try to reproduce the issue and examine what's
> > going on. It does look like an acl error.
>
> Nadya,
>
> Just from a cursory glance,  Matthew's post is accurate regarding
> Windows behavior.
>
>  http://lists.samba.org/archive/samba-technical/2010-March/070018.html
>
> This is the "validated write" access.
>
>  http://msdn.microsoft.com/en-us/library/ms675747%28VS.85%29.aspx
>
> And you might want to examine the process of delegating control of
> a pre-existing machine objects and how that impacts the ACEs.
> Maybe just a dump from acldiag.exe in the supports tools would
> give you the information you need.
>
> Of course, you may already know all this in which case feel
> free to ignore me.
>
> >>>> Im trying to join my domain on a xp computer. When trying to join as a
> >>>> normal user, i get this error.
> >>>> Failed to modify record
> CN=KOFFEINMASKIN,OU=test,DC=local,DC=test,DC=lan:
> >>>> error in module acl: insufficient access rights (50)
> >>>> However, i can join the domain as an administrator, is this normal?
> >>>> Sounds quite strange.
>
>
>
>
>
>
> cheers, jerry
> --
> =====================================================================
> Senior Software Developer                               Likewise-CIFS
> http://www.likewiseopen.org/
> "What man is a man who does not make the world better?"      --Balian
>
>


More information about the samba-technical mailing list