Samba 4 insufficientAccessRights when modifying Configuration
Brian C. Huffman
bhuffman at etinternational.com
Thu Aug 9 15:06:16 MDT 2012
Nadya,
It is the same:
[root at samba01 bhuffman]# ldbsearch -H /usr/local/samba/private/sam.ldb
'cn=bhuffman-v1'
# record 1
dn: CN=BHUFFMAN-V1,OU=Windows,OU=Computers,OU=ETI,DC=xmen,DC=eti
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: BHUFFMAN-V1
instanceType: 4
whenCreated: 20120515211952.0Z
uSNCreated: 3714
name: BHUFFMAN-V1
objectGUID: 1c443011-c0e6-4e62-9a25-5b297c6c01d2
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 515
objectSid: S-1-5-21-2824053618-3522172672-2706769870-1104
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: BHUFFMAN-V1$
sAMAccountType: 805306369
dNSHostName: BHUFFMAN-V1.xmen.eti
servicePrincipalName: HOST/BHUFFMAN-V1.xmen.eti
servicePrincipalName: RestrictedKrbHost/BHUFFMAN-V1.xmen.eti
servicePrincipalName: HOST/BHUFFMAN-V1
servicePrincipalName: RestrictedKrbHost/BHUFFMAN-V1
servicePrincipalName: TERMSRV/bhuffman-v1.xmen.eti
servicePrincipalName: TERMSRV/BHUFFMAN-V1
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=xmen,DC=eti
isCriticalSystemObject: FALSE
operatingSystem: Windows 7 Professional
operatingSystemServicePack: Service Pack 1
operatingSystemVersion: 6.1 (7601)
msDS-SupportedEncryptionTypes: 28
pwdLastSet: 129882182410000000
userAccountControl: 4096
memberOf: CN=Domain Admins,CN=Users,DC=xmen,DC=eti
whenChanged: 20120809205713.0Z
uSNChanged: 5658
distinguishedName:
CN=BHUFFMAN-V1,OU=Windows,OU=Computers,OU=ETI,DC=xmen,DC=eti
Brian
On 08/09/2012 04:52 PM, Nadezhda Ivanova wrote:
> Hi Brian,
> Really sorry I dropped the ball on this, but I have been very busy.
> You could use ldbsearch with a scope=one and base= dn of the user.
> This will list all attributes and you can verify that the user with
> sid S-1-5-21-2824053618-3522172672-2706769870-1104 in indeed that
> machine account. It could be some other user for some reason. If it
> proves to be the same, then there may be a problem wioth the token
> generation.
>
> Andrew, can you think of a reason why the Domain Admins sID is not in
> the token?
>
> Regards,
> Nadya
>
> On Thu, Aug 9, 2012 at 11:32 PM, Brian C. Huffman
> <bhuffman at etinternational.com <mailto:bhuffman at etinternational.com>>
> wrote:
>
> Nadya,
>
> Should I open a bug on this? I've definitely added the machine
> account to the Domain Admins group.
>
> If not, is there anything else I can do to test what might be wrong?
>
>
> Thanks,
> Brian
>
> On 08/01/2012 03:13 PM, Nadezhda Ivanova wrote:
>
> From the security token it is seen that the user is not a
> member of Domain admins or enterprise admins. All we have is:
> sids :
> S-1-5-21-2824053618-3522172672-2706769870-1104 - I assume this
> is the machine account sid
> sids :
> S-1-5-21-2824053618-3522172672-2706769870-515 - Domain Computers
> sids : S-1-1-0 - Everyone
> sids : S-1-5-2 - Network
> sids : S-1-5-11 -
> Authenticated Users
>
> For some reason the account has not become a member of Domain
> Admins.
>
>
>
> On Wed, Aug 1, 2012 at 9:56 PM, Brian C. Huffman
> <bhuffman at etinternational.com
> <mailto:bhuffman at etinternational.com>
> <mailto:bhuffman at etinternational.com
> <mailto:bhuffman at etinternational.com>>> wrote:
>
> Here you go:
> [2012/08/01 14:35:39, 10, pid=15547, effective(0, 0),
> real(0, 0)]
> ../source4/dsdb/common/dsdb_access.c:47(dsdb_acl_debug)
> Access on
>
> CN=user-Display,CN=C0A,CN=DisplaySpecifiers,CN=Configuration,DC=xmen,DC=eti
> deniedSecurity context: : struct security_token
> num_sids : 0x00000005 (5)
> sids: ARRAY(5)
> sids :
> S-1-5-21-2824053618-3522172672-2706769870-1104
> sids :
> S-1-5-21-2824053618-3522172672-2706769870-515
> sids : S-1-1-0
> sids : S-1-5-2
> sids : S-1-5-11
> privilege_mask : 0x0000000000000000 (0)
> 0: SEC_PRIV_MACHINE_ACCOUNT_BIT
> 0: SEC_PRIV_PRINT_OPERATOR_BIT
> 0: SEC_PRIV_ADD_USERS_BIT
> 0: SEC_PRIV_DISK_OPERATOR_BIT
> 0: SEC_PRIV_REMOTE_SHUTDOWN_BIT
> 0: SEC_PRIV_BACKUP_BIT
> 0: SEC_PRIV_RESTORE_BIT
> 0: SEC_PRIV_TAKE_OWNERSHIP_BIT
> 0: SEC_PRIV_INCREASE_QUOTA_BIT
> 0: SEC_PRIV_SECURITY_BIT
> 0: SEC_PRIV_LOAD_DRIVER_BIT
> 0: SEC_PRIV_SYSTEM_PROFILE_BIT
> 0: SEC_PRIV_SYSTEMTIME_BIT
> 0: SEC_PRIV_PROFILE_SINGLE_PROCESS_BIT
> 0: SEC_PRIV_INCREASE_BASE_PRIORITY_BIT
> 0: SEC_PRIV_CREATE_PAGEFILE_BIT
> 0: SEC_PRIV_SHUTDOWN_BIT
> 0: SEC_PRIV_DEBUG_BIT
> 0: SEC_PRIV_SYSTEM_ENVIRONMENT_BIT
> 0: SEC_PRIV_CHANGE_NOTIFY_BIT
> 0: SEC_PRIV_UNDOCK_BIT
> 0: SEC_PRIV_ENABLE_DELEGATION_BIT
> 0: SEC_PRIV_MANAGE_VOLUME_BIT
> 0: SEC_PRIV_IMPERSONATE_BIT
> 0: SEC_PRIV_CREATE_GLOBAL_BIT
> rights_mask : 0x00000000 (0)
> 0: LSA_POLICY_MODE_INTERACTIVE
> 0: LSA_POLICY_MODE_NETWORK
> 0: LSA_POLICY_MODE_BATCH
> 0: LSA_POLICY_MODE_SERVICE
> 0: LSA_POLICY_MODE_PROXY
> 0: LSA_POLICY_MODE_DENY_INTERACTIVE
> 0: LSA_POLICY_MODE_DENY_NETWORK
> 0: LSA_POLICY_MODE_DENY_BATCH
> 0: LSA_POLICY_MODE_DENY_SERVICE
> 0: LSA_POLICY_MODE_REMOTE_INTERACTIVE
> 0: LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE
> 0x00: LSA_POLICY_MODE_ALL (0)
> 0x00: LSA_POLICY_MODE_ALL_NT4 (0)
>
> [2012/08/01 14:35:39, 10, pid=15547, effective(0, 0),
> real(0, 0)]
> ../source4/dsdb/common/dsdb_access.c:55(dsdb_acl_debug)
>
> Security descriptor: : struct security_descriptor
> revision :
> SECURITY_DESCRIPTOR_REVISION_1 (1)
> type : 0x8405 (33797)
>
> 1: SEC_DESC_OWNER_DEFAULTED
> 0: SEC_DESC_GROUP_DEFAULTED
> 1: SEC_DESC_DACL_PRESENT
> 0: SEC_DESC_DACL_DEFAULTED
> 0: SEC_DESC_SACL_PRESENT
> 0: SEC_DESC_SACL_DEFAULTED
> 0: SEC_DESC_DACL_TRUSTED
> 0: SEC_DESC_SERVER_SECURITY
> 0: SEC_DESC_DACL_AUTO_INHERIT_REQ
> 0: SEC_DESC_SACL_AUTO_INHERIT_REQ
> 1: SEC_DESC_DACL_AUTO_INHERITED
> 0: SEC_DESC_SACL_AUTO_INHERITED
> 0: SEC_DESC_DACL_PROTECTED
> 0: SEC_DESC_SACL_PROTECTED
> 0: SEC_DESC_RM_CONTROL_VALID
> 1: SEC_DESC_SELF_RELATIVE
> owner_sid : *
> owner_sid :
> S-1-5-21-2824053618-3522172672-2706769870-519
> group_sid : *
> group_sid :
> S-1-5-21-2824053618-3522172672-2706769870-513
> sacl : NULL
> dacl : *
> dacl: struct security_acl
> revision :
> SECURITY_ACL_REVISION_ADS (4)
> size : 0x009c (156)
> num_aces : 0x00000005 (5)
> aces: ARRAY(5)
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x00 (0)
> 0:
> SEC_ACE_FLAG_OBJECT_INHERIT
> 0:
> SEC_ACE_FLAG_CONTAINER_INHERIT
> 0:
> SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x00:
> SEC_ACE_FLAG_VALID_INHERIT (0)
> 0:
> SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0024 (36)
> access_mask : 0x000f01ff
> (983551)
> object : union
> security_ace_object_ctr(case 0)
> trustee :
> S-1-5-21-2824053618-3522172672-2706769870-512
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x00 (0)
> 0:
> SEC_ACE_FLAG_OBJECT_INHERIT
> 0:
> SEC_ACE_FLAG_CONTAINER_INHERIT
> 0:
> SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x00:
> SEC_ACE_FLAG_VALID_INHERIT (0)
> 0:
> SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0014 (20)
> access_mask : 0x000f01ff
> (983551)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-5-18
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x00 (0)
> 0:
> SEC_ACE_FLAG_OBJECT_INHERIT
> 0:
> SEC_ACE_FLAG_CONTAINER_INHERIT
> 0:
> SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 0: SEC_ACE_FLAG_INHERITED_ACE
> 0x00:
> SEC_ACE_FLAG_VALID_INHERIT (0)
> 0:
> SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0014 (20)
> access_mask : 0x00020094
> (131220)
> object : union
> security_ace_object_ctr(case 0)
> trustee : S-1-5-11
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x12 (18)
> 0:
> SEC_ACE_FLAG_OBJECT_INHERIT
> 1:
> SEC_ACE_FLAG_CONTAINER_INHERIT
> 0:
> SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 1: SEC_ACE_FLAG_INHERITED_ACE
> 0x02:
> SEC_ACE_FLAG_VALID_INHERIT (2)
> 0:
> SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0024 (36)
> access_mask : 0x000f01ff
> (983551)
> object : union
> security_ace_object_ctr(case 0)
> trustee :
> S-1-5-21-2824053618-3522172672-2706769870-519
> aces: struct security_ace
> type :
> SEC_ACE_TYPE_ACCESS_ALLOWED (0)
> flags : 0x12 (18)
> 0:
> SEC_ACE_FLAG_OBJECT_INHERIT
> 1:
> SEC_ACE_FLAG_CONTAINER_INHERIT
> 0:
> SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
> 0: SEC_ACE_FLAG_INHERIT_ONLY
> 1: SEC_ACE_FLAG_INHERITED_ACE
> 0x02:
> SEC_ACE_FLAG_VALID_INHERIT (2)
> 0:
> SEC_ACE_FLAG_SUCCESSFUL_ACCESS
> 0: SEC_ACE_FLAG_FAILED_ACCESS
> size : 0x0024 (36)
> access_mask : 0x000f01bd
> (983485)
> object : union
> security_ace_object_ctr(case 0)
> trustee :
> S-1-5-21-2824053618-3522172672-2706769870-512
>
> [2012/08/01 14:35:39, 5, pid=15547, effective(0, 0),
> real(0, 0)]
> ../lib/ldb-samba/ldb_wrap.c:68(ldb_wrap_debug)
> ldb: cancel ldb transaction (nesting: 0)
>
> Let me know if you need anything additional.
>
> Thanks!
> Brian
>
>
> On 08/01/2012 02:02 PM, Nadezhda Ivanova wrote:
>
> Hi Brian,
> We will need to take a look at the access check dumps.
> To do
> that, you need to run Samba with log level 10. Add the
> machine
> account to the Domain Admin groups, and repeat the
> installation.
> The log file will be enormous, but search for
> something like:
> Object
>
> CN=group-Display,CN=407,CN=DisplaySpecifiers,CN=Configuration,DC=xmen,DC=eti
> has no write property access
> Access on
>
> CN=group-Display,CN=407,CN=DisplaySpecifiers,CN=Configuration,DC=xmen,DC=eti
> denied
>
> After that there should be a dump of the security
> token, which
> looks something like this:
> Security context: : struct security_token
> user_sid : *
> user_sid :
> S-1-5-21-2851635801-3495335766-3134857892-1014
> group_sid : *
> group_sid :
> S-1-5-21-2851635801-3495335766-3134857892-513
> num_sids : 0x00000006 (6)
> sids: ARRAY(6)
> sids : *
> sids :
> S-1-5-21-2851635801-3495335766-3134857892-1014
> sids : *
> sids :
> S-1-5-21-2851635801-3495335766-3134857892-513
> sids : *
> sids : S-1-1-0
> sids : *
> sids : S-1-5-2
> sids : *
> sids : S-1-5-11
> sids : *
> sids : S-1-5-32-545
> privilege_mask : 0x0000000000000000 (0)
>
> and after that is a dump of the security descriptor
> for the
> object. It can be very big, starts with something like:
> Security descriptor: : struct security_descriptor
> revision :
> SECURITY_DESCRIPTOR_REVISION_1 (1)
> type : 0x8c14 (35860)
> 0: SEC_DESC_OWNER_DEFAULTED
> 0: SEC_DESC_GROUP_DEFAULTED
> 1: SEC_DESC_DACL_PRESENT
> 0: SEC_DESC_DACL_DEFAULTED
> 1: SEC_DESC_SACL_PRESENT
> 0: SEC_DESC_SACL_DEFAULTED
> 0: SEC_DESC_DACL_TRUSTED
> 0: SEC_DESC_SERVER_SECURITY
> 0: SEC_DESC_DACL_AUTO_INHERIT_REQ
> 0: SEC_DESC_SACL_AUTO_INHERIT_REQ
> 1: SEC_DESC_DACL_AUTO_INHERITED
> 1: SEC_DESC_SACL_AUTO_INHERITED
> 0: SEC_DESC_DACL_PROTECTED
> 0: SEC_DESC_SACL_PROTECTED
> 0: SEC_DESC_RM_CONTROL_VALID
> 1: SEC_DESC_SELF_RELATIVE
>
>
> And goes on with the list of all ACEs in sacl and
> dacl. We will
> need all that to figure out why the access checks have
> failed,
> could you send it?
>
> Regards,
> Nadya
>
>
> On Wed, Aug 1, 2012 at 5:01 PM, Brian C. Huffman
> <bhuffman at etinternational.com
> <mailto:bhuffman at etinternational.com>
> <mailto:bhuffman at etinternational.com
> <mailto:bhuffman at etinternational.com>>> wrote:
>
> Yep - In fact, I removed the machine account from
> Domain
> Admins, tried again, and did a diff between the
> two modify
> responses. Kerberos info is different and the
> timestamps are
> different, but everything else is the same.
>
> Brian
>
>
> On 08/01/2012 09:51 AM, Nadezhda Ivanova wrote:
>
> Is it the same error on the same operation?
>
> On Wed, Aug 1, 2012 at 4:49 PM, Brian C. Huffman
> <bhuffman at etinternational.com
> <mailto:bhuffman at etinternational.com>
> <mailto:bhuffman at etinternational.com
> <mailto:bhuffman at etinternational.com>>> wrote:
>
> Matthieu,
>
> I used the MMC "Active Directory Users and
> Computers" to
> make the change you suggested.
> Unfortunately I still
> get the insufficientAccessRights. So now
> I'm not sure
> what's going on because your idea made
> sense and sounded
> very promising.
>
> Brian
>
>
>
>
> On 07/31/2012 11:52 PM, Matthieu Patou wrote:
>
> On 07/31/2012 07:18 AM, Brian C.
> Huffman wrote:
>
> Unfortunately I can run it as
> Administrator but
> it appears that programatically it
> still tries
> to install as the machine account.
> I did some
> research and it turns out that the
> vendor
> intends you to run it on the AD
> server itself
> (which won't be possible for Samba).
>
> I suspect they expect you to run it on
> one of the
> DC, in this case the computer account
> is member of
> the domain controllers that have a lot
> of rights !
>
> However while trying to work
> around this, I
> found a difference between Samba
> and a Windows
> 2008 AD server. With the Win2k8
> AD server, I'm
> able to add the machine account,
> with inherited
> write permissions to
>
> CN=DisplaySpecifiers,CN=Configuration and then
> the installer succeeds. When I
> try to do the
> same with Samba, it doesn't give
> me any
> warnings, but it silently refuses
> to add the
> permissions to the descendants of
> DisplaySpecifiers. Is this known
> / intended
> behavior?
>
> As nadya said we now this "issue" the
> way to do it
> for you is to add the machine account
> via ADSI or
> ldbedit to the domain admins group, it
> should do the
> job. Once the installation is
> finished, remove it
> from this group.
>
> Matthieu.
>
>
>
>
>
>
>
>
>
>
More information about the samba-technical
mailing list