[Samba] Cannot join NT 4.0 Client to Samba3.0a21 PDC
Chris Kearns
chris.kearns at sybernet.ie
Mon Mar 3 11:50:41 GMT 2003
Hello,
I have successfully migrated an existing NT domain of about 30 users and 50 machines (mainly NT + W2K) to a Samba 2.2.7a PDC. I used the IDEALX Samba-PDC-Howto as a basis, using SSL and LDAP as the authentication mechanism.
Because of problems with NT groups, I decided to try Samba 3.0, so I downloaded and built Samba-3.0alpha21, using the RPM Spec below. Using the same smb.conf that worked with 2.2.7a, I tried adding an NT 4.0 workstation, without success.
The error I get on the NT side is:
"Unable to add or change accounts on the domain. The account information entered does not grant sufficient privilege to create or change accounts."
when I click on Identification Settings in Network on the NT box. I use the Domain Administrator account, which works using rpcclient or smbclient.
The log files show a number of access errors, the first being:
[2003/03/03 13:28:07, 10] lib/util_seaccess.c:se_access_check(248)
se_access_check: requested access 0x00000211, for NT token with 6 entries and first sid S-1-5-21-3642312925-2943760701-1776766777-2000.
[2003/03/03 13:28:07, 3] lib/util_seaccess.c:se_access_check(267)
[2003/03/03 13:28:07, 3] lib/util_seaccess.c:se_access_check(268)
se_access_check: user sid is S-1-5-21-3642312925-2943760701-1776766777-2000
se_access_check: also S-1-5-21-3642312925-2943760701-1776766777-2025
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-5-21-3642312925-2943760701-1776766777-512
se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask = 20385, current desired = 211
se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask = f07ff, current desired = 10
se_access_check: ACE 2: type 0, flags = 0x00, SID = S-1-5-32-548 mask = f07ff, current desired = 10
[2003/03/03 13:28:07, 5] lib/util_seaccess.c:se_access_check(331)
se_access_check: access (211) denied.
[2003/03/03 13:28:07, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(91)
_samr_open_domain: ACCESS DENIED (requested: 0x00000211)
[2003/03/03 13:28:07, 5] rpc_parse/parse_prs.c:prs_debug(81)
000000 samr_io_r_open_domain
I'm afraid that this does'nt help me, what am I missing?
Thanks,
Chris Kearns
RPM Samba.spec diffs:
---------------
...
--with-libsmbclient \
--with-acl-support \
--with-with-profile \
--disable-static \
--with-msdfs \
--with-ldapsam
...
smb.conf:
-------------
[global]
ldap server = shac
ldap port = 389
ldap suffix = dc=sybernet, dc=ie
ldap admin dn = cn=manager, dc=sybernet, dc=ie
ldap ssl = start_tls
add user script = /usr/local/sbin/smbldap-useradd.pl -w %u
character set = iso8859-1
log level = 10
domain admin group = " @"Domain Admins" "
domain guest group = " @"Domain Guests" "
workgroup = SYBERNET
netbios name = shac
server string = Samba PDC %v %h
hosts allow = 194.125.32. 127.
printcap name = /etc/printcap
load printers = yes
printing = lprng
guest account = Guest
log file = /var/log/samba/%m.log
max log size = 50000
security = user
password server = shac
encrypt passwords = yes
unix password sync = Yes
passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*successfully*
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = 127.0.0.1 194.125.32.101/8
local master = yes
os level = 64
domain master = yes
preferred master = yes
domain logons = yes
logon path = \\%N\profiles\%u
logon home = \\%N\homes
logon drive = M:
logon script = logon.cmd
dns proxy = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
create mode = 0644
directory mode = 0755
[netlogon]
comment = Network Logon Service
path = /space/system/samba/netlogon
writable = no
write list = administrator
[profiles]
comment = Profiles Store
path = /space/system/samba/profiles
writable = yes
valid users = " @"Domain Users" "
admin users = " @"Domain Admins" "
create mask = 0755
force create mode = 020
directory mask = 02755
force directory mode = 02070
map system = yes
map hidden = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
------------------------------------------------------
SyberNet Ltd. Tel: +353 (0)91 514400
Galway Business Park Fax: +353 (0)91 514409
Dangan DDI: +353 (0)91 514401
Galway email: chris.kearns at sybernet.ie
Ireland WWW: www.sybernet.com
------------------------------------------------------
More information about the samba
mailing list