Samba 4 insufficientAccessRights when modifying Configuration

Brian C. Huffman bhuffman at etinternational.com
Mon Jul 30 08:45:13 MDT 2012 

Ok.  I got the encryption figured out.

So, there are two things that ADSI does differently:

1) It appears in wireshark that ADSI does two modify requests (they look 
like duplicates to me, but I could be wrong).

2) ADSI does a "replace" whereas the installer does an "add" (the 1st 
entry "1,{08...}" was already there)
(ADSI):
             LDAPMessage modifyRequest(291) 
"CN=user-Display,CN=C0A,CN=DisplaySpecifiers,CN=Configuration,DC=xmen,DC=eti"
                 messageID: 291
                 protocolOp: modifyRequest (6)
                     modifyRequest
                         object: 
CN=user-Display,CN=C0A,CN=DisplaySpecifiers,CN=Configuration,DC=xmen,DC=eti
                         modification: 1 item
                             modification item
                                 operation: replace (2)
                                 modification adminContextMenu
                                     type: adminContextMenu
                                     vals: 2 items
1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
2,{11330101-C4C8-11D6-B1DF-000476962053}

(Installer):
             LDAPMessage modifyRequest(25) 
"CN=user-Display,CN=C0A,CN=DisplaySpecifiers,CN=Configuration,DC=xmen,DC=eti"
                 messageID: 25
                 protocolOp: modifyRequest (6)
                     modifyRequest
                         object: 
CN=user-Display,CN=C0A,CN=DisplaySpecifiers,CN=Configuration,DC=xmen,DC=eti
                         modification: 1 item
                             modification item
                                 operation: add (0)
                                 modification adminContextMenu
                                     type: adminContextMenu
                                     vals: 1 item
2,{11330101-C4C8-11D6-B1DF-000476962053}


-b

On 07/30/2012 09:47 AM, Brian C. Huffman wrote:
> I tried using a standard tcpdump -w and then loading the result into 
> wireshark, but the output for when I use ADSI (MMC) is completely 
> different and I don't see anything recognizable there.  In fact, 
> wireshark doesn't even detect the LDAP protcol at all - it's showing 
> just TCP in the protocol field for all packets.
>
> Might it be encrypted?  If so, how would we go about finding a useful 
> trace to compare?
>
> Brian
>
> On 07/27/2012 08:55 PM, Andrew Bartlett wrote:
>> On Fri, 2012-07-27 at 09:20 -0400, Brian C. Huffman wrote:
>>> Sorry - I should have been clear.  I'm running as "Administrator" which
>>> is a member of the Enterprise Admins (and also Schema Admins, just 
>>> in case).
>> If this is all being run as the same user, then the next step is to get
>> a network trace of the operations, and see if we can figure out how the
>> installer's operations differ from the MMC operations.
>>
>> This will let us know if we can find a way the (presumably) subtly
>> different operations take different code paths.
>>
>> Andrew Bartlett
>>
>

More information about the samba-technical mailing list