[Samba] Samba3 and Domain Admin group mapping and use pbms.

Jérôme Fenal jerome.fenal at logicacmg.com
Fri Nov 21 11:43:09 GMT 2003 

Bon appétit à tous,

I have a small problem regarding delegation of domain administrator 
rights to a 'normal' user (eg. not root or uid!=0).

I maybe fooled myself believing it is possible in Samba3, reading 
Samba-HOWTO-Collection.html#WKURIDS, that a user could be also a domain 
admin.

I've created group mappings (with good RIDs) for main groups (eg. 
SID-512, SID-513, SID-514, even tested SID-544, SID-548) and associated 
my user `jerome' to SID-512, the domadmin group.

Then, with that user connected on freshly inserted XP workstation, I've 
tried to launch MS usermgr.exe to manage users. It used to work when my 
user jerome was in the [global] `admin users=' clause, but no more now.

I have the following messages in the log. Since I don't know what is 
ACE, I can't go further, and asking (once again) for help :

[2003/11/21 12:16:06, 5] 
rpc_server/srv_samr_nt.c:access_check_samr_function(106)
   _samr_open_group: access check ((granted: 0x00020381;  required: 
0x00000200)
[2003/11/21 12:16:06, 10] lib/util_seaccess.c:se_access_check(234)
   se_access_check: requested access 0x0000001f, for NT token with 7 
entries and first sid S-1-5-21-1150874807-1180408084-xxxxxxxxx-3000.
[2003/11/21 12:16:06, 3] lib/util_seaccess.c:se_access_check(251)
[2003/11/21 12:16:06, 3] lib/util_seaccess.c:se_access_check(252)
   se_access_check: user sid is 
S-1-5-21-1150874807-1180408084-429402335-3000
   se_access_check: also S-1-5-21-1150874807-1180408084-xxxxxxxxx-2027
   se_access_check: also S-1-1-0
   se_access_check: also S-1-5-2
   se_access_check: also S-1-5-11
   se_access_check: also S-1-5-21-1150874807-1180408084-xxxxxxxxx-513
   se_access_check: also S-1-5-21-1150874807-1180408084-xxxxxxxxx-512
   se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask = 
20011, current desired = 1f
   se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask 
= f001f, current desired = e
   se_access_check: ACE 2: type 0, flags = 0x00, SID = S-1-5-32-548 mask 
= f001f, current desired = e
[2003/11/21 12:16:06, 5] lib/util_seaccess.c:se_access_check(315)
   se_access_check: access (1f) denied.
[2003/11/21 12:16:06, 2] 
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
   _samr_open_group: ACCESS DENIED  (requested: 0x0000001f)

My questions :
- Am I really fooling me in believing it is possible ?
- Am I stuck to using 'admin user=too,many,users,here,mapped,to,root' ?
- What is the sambaGroupType in LDAP (I noticed that 2 is domain group, 
5 is buitin) ? What are other values ?
- Are builtins cited at Samba-HOWTO-Collection.html#WKURIDS really groups ?
- Are they useable for a user as it seems se_access_check looks for it ?
- Should I rebuild first my config with TDBSAM (as advised in Chapter 
12, #id2895268) then migrate it to LDAP ?

My setup (same as last time) :
- Samba 3.0.1pre3 (RPM home recompiled from samba.org SRPM);
- OpenLDAP 2.0.27 (stock RH9) + Solaris RootDSE patch, all on RH9;
- Two LDAP servers (one master, one slave, replication of all the base);
- Samba setup as PDC + BDC, using Samba3 LDAP schema.

Best, best regards,

Jérôme

-- 
Jérôme Fenal - Consultant Unix/SAN/Logiciel Libre
Groupe Expert & Managed Services - LogicaCMG France
http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>

More information about the samba mailing list