Samba 4 insufficientAccessRights when modifying Configuration
Brian C. Huffman
bhuffman at etinternational.com
Mon Jul 30 08:45:13 MDT 2012
Ok. I got the encryption figured out.
So, there are two things that ADSI does differently:
1) It appears in wireshark that ADSI does two modify requests (they look
like duplicates to me, but I could be wrong).
2) ADSI does a "replace" whereas the installer does an "add" (the 1st
entry "1,{08...}" was already there)
(ADSI):
LDAPMessage modifyRequest(291)
"CN=user-Display,CN=C0A,CN=DisplaySpecifiers,CN=Configuration,DC=xmen,DC=eti"
messageID: 291
protocolOp: modifyRequest (6)
modifyRequest
object:
CN=user-Display,CN=C0A,CN=DisplaySpecifiers,CN=Configuration,DC=xmen,DC=eti
modification: 1 item
modification item
operation: replace (2)
modification adminContextMenu
type: adminContextMenu
vals: 2 items
1,{08eb4fa6-6ffd-11d1-b0e0-00c04fd8dca6}
2,{11330101-C4C8-11D6-B1DF-000476962053}
(Installer):
LDAPMessage modifyRequest(25)
"CN=user-Display,CN=C0A,CN=DisplaySpecifiers,CN=Configuration,DC=xmen,DC=eti"
messageID: 25
protocolOp: modifyRequest (6)
modifyRequest
object:
CN=user-Display,CN=C0A,CN=DisplaySpecifiers,CN=Configuration,DC=xmen,DC=eti
modification: 1 item
modification item
operation: add (0)
modification adminContextMenu
type: adminContextMenu
vals: 1 item
2,{11330101-C4C8-11D6-B1DF-000476962053}
-b
On 07/30/2012 09:47 AM, Brian C. Huffman wrote:
> I tried using a standard tcpdump -w and then loading the result into
> wireshark, but the output for when I use ADSI (MMC) is completely
> different and I don't see anything recognizable there. In fact,
> wireshark doesn't even detect the LDAP protcol at all - it's showing
> just TCP in the protocol field for all packets.
>
> Might it be encrypted? If so, how would we go about finding a useful
> trace to compare?
>
> Brian
>
> On 07/27/2012 08:55 PM, Andrew Bartlett wrote:
>> On Fri, 2012-07-27 at 09:20 -0400, Brian C. Huffman wrote:
>>> Sorry - I should have been clear. I'm running as "Administrator" which
>>> is a member of the Enterprise Admins (and also Schema Admins, just
>>> in case).
>> If this is all being run as the same user, then the next step is to get
>> a network trace of the operations, and see if we can figure out how the
>> installer's operations differ from the MMC operations.
>>
>> This will let us know if we can find a way the (presumably) subtly
>> different operations take different code paths.
>>
>> Andrew Bartlett
>>
>
More information about the samba-technical
mailing list