[Samba] URGENT: ACCESS DENIED (granted: 0x00000201; required: 0x00000010)

boka boka at sto-procent.art.pl
Mon Oct 6 12:51:07 GMT 2003 

Hi !

I have samba-3.0.0 with --with-ldapsam option compiled in, and I can not
add a machine into domain - i can log into domain from machine added
befor upgrade from 2.2.8a to 3.0.0. From my logs:

[2003/10/06 14:46:50, 2, pid=26614, effective(0, 0), real(0, 0)]
lib/smbldap.c:smbldap_search_suffix(1066)
  smbldap_search_suffix: searching
for:[(&(&(uid=Administrator)(objectclass=sambaAccount))(objectclass=sambaAccount))]
[2003/10/06 14:46:50, 2, pid=26614, effective(0, 0), real(0, 0)]
passdb/pdb_ldap.c:init_sam_from_ldap(460)
  init_sam_from_ldap: Entry found for user: administrator
[2003/10/06 14:46:50, 2, pid=26614, effective(0, 0), real(0, 0)]
passdb/pdb_ldap.c:ldapsam_search_one_group(1597)
  ldapsam_search_one_group: searching
for:[(&(objectClass=sambaGroupMapping)(gidNumber=200))]
[2003/10/06 14:46:50, 2, pid=26614, effective(0, 0), real(0, 0)]
passdb/pdb_ldap.c:ldapsam_search_one_group(1597)
  ldapsam_search_one_group: searching
for:[(&(objectClass=sambaGroupMapping)(gidNumber=1014))]
[2003/10/06 14:46:50, 2, pid=26614, effective(0, 0), real(0, 0)]
auth/auth.c:check_ntlm_password(297)
  check_ntlm_password:  authentication for user [Administrator] ->
[Administrator] -> [administrator] succeeded
[2003/10/06 14:46:50, 2, pid=26614, effective(0, 0), real(0, 0)]
lib/access.c:check_access(322)
  Allowed connection from  (10.10.12.51)
[2003/10/06 14:46:51, 2, pid=26614, effective(1000, 200), real(0, 0)]
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2540)
  Returning domain sid for domain DOMAIN ->
S-1-5-21-133419789-486977345-1400590255
[2003/10/06 14:46:51, 2, pid=26614, effective(1000, 200), real(0, 0)]
rpc_server/srv_samr_nt.c:access_check_samr_object(92)
  _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
[2003/10/06 14:46:51, 2, pid=26614, effective(1000, 200), real(0, 0)]
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2540)
  Returning domain sid for domain DOMAIN ->
S-1-5-21-133419789-486977345-1400590255
[2003/10/06 14:46:51, 2, pid=26614, effective(1000, 200), real(0, 0)]
rpc_server/srv_samr_nt.c:access_check_samr_function(114)
  _samr_create_user: ACCESS DENIED (granted: 0x00000201;  required:
0x00000010)
[2003/10/06 14:46:51, 2, pid=26614, effective(0, 0), real(0, 0)]
lib/smbldap.c:smbldap_search_suffix(1066)
  smbldap_search_suffix: searching
for:[(&(&(uid=Administrator)(objectclass=sambaAccount))(objectclass=sambaAccount))]
[2003/10/06 14:46:51, 2, pid=26614, effective(0, 0), real(0, 0)]
passdb/pdb_ldap.c:init_sam_from_ldap(460)
  init_sam_from_ldap: Entry found for user: administrator
[2003/10/06 14:46:51, 2, pid=26614, effective(0, 0), real(0, 0)]
auth/auth.c:check_ntlm_password(297)
  check_ntlm_password:  authentication for user [Administrator] ->
[Administrator] -> [administrator] succeeded
[2003/10/06 14:46:51, 2, pid=26614, effective(0, 0), real(0, 0)]
lib/access.c:check_access(322)

[root at codo samba]# smbldap-usershow.pl administrator
dn: uid=administrator,ou=Users,dc=EUROZET,dc=PL
cn: administrator
sn: administrator
uid: administrator
uidNumber: 1000
gidNumber: 200
homeDirectory: /home/users/administrator
loginShell: /bin/bash
gecos: System User
description: System User
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaAccount
pwdLastSet: 0
logonTime: 0
logoffTime: 2147483647
kickoffTime: 2147483647
pwdCanChange: 0
pwdMustChange: 2147483647
displayName: System User
acctFlags: [UX]
rid: 3000
primaryGroupID: 1401
homeDrive: H:
smbHome: \\IO\homes
profilePath: \\IO\profiles\administrator
scriptPath: administrator.cmd
lmPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ntPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[root at codo /]# getent group|grep 200
Domain Admins:x:200:administrator

from smb.conf:
        add user script = /usr/local/sbin/smbldap-useradd.pl -a %u
        add machine script = /usr/local/sbin/smbldap-useradd.pl -w %u

files are on right place - /usr/local/sbin ....

        passdb backend = ldapsam_compat
        ldap suffix = dc=POLSKA,dc=PL
        ldap admin dn = "cn=Manager,dc=POLSKA,dc=PL"
        ldap user suffix = ou=Users
        ldap group suffix = ou=Groups
        ldap machine suffix = ou=Computers
        ldap port = 389
        ldap server = 127.0.0.1
        ldap ssl = No
        ldap passwd sync = Yes
        ldap filter = (&(uid=%u)(objectclass=sambaAccount))

ps. with samba-2.2.8a evertything works ok.

-- 
"Powinnismy wypowiedziec wojne Polnocnemu Wietnamowi. Mozemy wyasfaltowac
caly kraj, zamienic go w parking i jeszcze zdazyc do domu przed swietami"
Ronald Reagan
pozdrawiam boka at sto-procent.art.pl

More information about the samba mailing list