[Samba] Bug or misconfiguration

Fri Nov 14 21:58:40 GMT 2003

I'm not sure which I'm dealing with.  I have a user that is in the Domain
Admins group, is able to log into the domain, and is able to open
usrmgr.exe and view the user list.  When I try to view any user or group
with usrmgr.exe, however, I get a windows popup saying 'Access is denied.'
In samba's logs, I see this sequence:

[2003/11/14 17:52:02, 3] lib/util_seaccess.c:se_access_check(252)
  se_access_check: user sid is S-1-5-21-2022136750-1217293046-222576647-1108
  se_access_check: also S-1-5-21-2022136750-1217293046-222576647-513
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-2022136750-1217293046-222576647-101
  se_access_check: also S-1-5-21-2022136750-1217293046-222576647-512
  se_access_check: also S-1-5-21-2022136750-1217293046-222576647-100
  se_access_check: also S-1-5-21-2022136750-1217293046-222576647-2657
  se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask = 2035b, current desired = 601bf
  se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask = f07ff, current desired = 400a4
  se_access_check: ACE 2: type 0, flags = 0x00, SID = S-1-5-32-548 mask = f07ff, current desired = 400a4
  se_access_check: ACE 3: type 0, flags = 0x00, SID = S-1-5-21-2022136750-1217293046-311576647-1007 mask = 20044, current
desired = 400a4
[2003/11/14 17:52:02, 5] lib/util_seaccess.c:se_access_check(315)
  se_access_check: access (601bf) denied.

Because the user (uid/rid 1108) is in the domain admins group (gid/rid
512) he should be able to view user properties, correct?

-- 
Michael D. Jurney
mike at jurney.org