[Samba] Cannot join NT 4.0 Client to Samba3.0a21 PDC

Chris Kearns chris.kearns at sybernet.ie
Mon Mar 3 11:50:41 GMT 2003 

Hello,

I have successfully migrated an existing NT domain of about 30 users and 50 machines (mainly NT + W2K) to a Samba 2.2.7a PDC. I used the IDEALX Samba-PDC-Howto as a basis, using SSL and LDAP as the authentication mechanism.

Because of problems with NT groups, I decided to try Samba 3.0, so I downloaded and built Samba-3.0alpha21, using the RPM Spec below. Using the same smb.conf that worked with 2.2.7a, I tried adding an NT 4.0 workstation, without success.

The error I get on the NT side is: 
"Unable to add or change accounts on the domain. The account information entered does not grant sufficient privilege to create or change accounts."
when I click on Identification Settings in Network on the NT box. I use the Domain Administrator account, which works using rpcclient or smbclient.

The log files show a number of access errors, the first being:
[2003/03/03 13:28:07, 10] lib/util_seaccess.c:se_access_check(248)
  se_access_check: requested access 0x00000211, for NT token with 6 entries and first sid S-1-5-21-3642312925-2943760701-1776766777-2000.
[2003/03/03 13:28:07, 3] lib/util_seaccess.c:se_access_check(267)
[2003/03/03 13:28:07, 3] lib/util_seaccess.c:se_access_check(268)
  se_access_check: user sid is S-1-5-21-3642312925-2943760701-1776766777-2000
  se_access_check: also S-1-5-21-3642312925-2943760701-1776766777-2025
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-3642312925-2943760701-1776766777-512
  se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask = 20385, current desired = 211
  se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask = f07ff, current desired = 10
  se_access_check: ACE 2: type 0, flags = 0x00, SID = S-1-5-32-548 mask = f07ff, current desired = 10
[2003/03/03 13:28:07, 5] lib/util_seaccess.c:se_access_check(331)
  se_access_check: access (211) denied.
[2003/03/03 13:28:07, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(91)
  _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
[2003/03/03 13:28:07, 5] rpc_parse/parse_prs.c:prs_debug(81)
  000000 samr_io_r_open_domain 

I'm afraid that this does'nt help me, what am I missing?

Thanks,

Chris Kearns


RPM Samba.spec diffs:
---------------
        ...
	--with-libsmbclient \
        --with-acl-support \
        --with-with-profile \
        --disable-static \
        --with-msdfs \
        --with-ldapsam
        ...

smb.conf:
-------------
[global]
   ldap server = shac
   ldap port = 389
   ldap suffix = dc=sybernet, dc=ie
   ldap admin dn = cn=manager, dc=sybernet, dc=ie
   ldap ssl = start_tls
   add user script = /usr/local/sbin/smbldap-useradd.pl -w %u
   character set = iso8859-1
   log level = 10
   domain admin group = " @"Domain Admins" "
   domain guest group = " @"Domain Guests" "

   workgroup = SYBERNET
   netbios name = shac

   server string = Samba PDC %v %h

   hosts allow = 194.125.32. 127.

   printcap name = /etc/printcap
   load printers = yes

   printing = lprng

  guest account = Guest

   log file = /var/log/samba/%m.log
   max log size = 50000

   security = user
   password server = shac
   encrypt passwords = yes
   unix password sync = Yes
   passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u
   passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*successfully*

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   interfaces = 127.0.0.1 194.125.32.101/8
   local master = yes
   os level = 64
   domain master = yes 
   preferred master = yes
   domain logons = yes
   logon path = \\%N\profiles\%u
   logon home = \\%N\homes
   logon drive = M:
   logon script = logon.cmd
   dns proxy = yes 

[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   valid users = %S
   create mode = 0644
   directory mode = 0755

 [netlogon]
   comment = Network Logon Service
   path = /space/system/samba/netlogon
   writable = no
   write list = administrator

[profiles]
    comment = Profiles Store
    path = /space/system/samba/profiles
    writable = yes
    valid users = " @"Domain Users" "
    admin users = " @"Domain Admins" "
    create mask = 0755
    force create mode = 020
    directory mask = 02755
    force directory mode = 02070
    map system = yes
    map hidden = yes

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes


------------------------------------------------------
SyberNet Ltd.                            Tel: +353 (0)91 514400
Galway Business Park                     Fax: +353 (0)91 514409
Dangan                                   DDI: +353 (0)91 514401
Galway                                   email: chris.kearns at sybernet.ie
Ireland                                  WWW: www.sybernet.com
------------------------------------------------------

More information about the samba mailing list