AW: [Samba] W2K RAS Server in Samba 3.0.0 Domain

Beschorner Daniel Daniel.Beschorner at facton.de
Sun Oct 12 22:30:06 GMT 2003 

I patched samba to always return ACCESS_GRANTED for testing.
So I came to this:

IASSAM.LOG
[556] 23:23:53:671: Inserting attribute msNPAllowDialin.
[556] 23:23:53:671: Successfully retrieved per-user attributes.

Dialin now "only" fails with "Dialin not allowed for user", but I'm not able
to set it in UserMgr.
Is it difficult to map this attribute?

Daniel

-----Ursprüngliche Nachricht-----
Von: Andrew Bartlett [mailto:abartlet at samba.org]
Gesendet: Samstag, 11. Oktober 2003 02:17
An: Beschorner Daniel
Cc: 'samba at lists.samba.org'
Betreff: Re: [Samba] W2K RAS Server in Samba 3.0.0 Domain


On Sat, 2003-10-11 at 02:37, Beschorner Daniel wrote:
> We set up a DialIn W2K SP4 member server in our Samba 3.0.0 domain.
> 
> When a client dials in the RAS server complains:
> 
> Error 930: The authentication server did not respond to authentication
> requests in a timely fashion. 
> 
> 
> I tracked down the RAS logfile IASSAM.LOG:
> 
> [576] 18:30:34:921: NT-SAM Names handler received request with user
identity
> root.
> [576] 18:30:34:921: Prepending default domain.
> [576] 18:30:34:921: SAM-Account-Name is "DOMAIN\root".
> [576] 18:30:34:921: NT-SAM Authentication handler received request for
> DOMAIN\root.
> [576] 18:30:34:921: Processing MS-CHAP v2 authentication.
> [576] 18:30:34:968: LogonUser succeeded.
> [576] 18:30:34:968: NT-SAM User Authorization handler received request for
> DOMAIN\root.
> [576] 18:30:34:968: Using downlevel dial-in parameters.
> [576] 18:30:34:968: DS not installed for domain DOMAIN.
> [576] 18:30:34:968: Connecting to SAM server on \\SERVER.
> [576] 18:30:35:093: Connecting to SAM server on \\SERVER.
> [576] 18:30:35:093: Per-user attribute retrieval failed: Access denied
> 
> 
> Here a corresponding "suspect" part of the level 10 smbd.log that breaks
> it?!?
> 
> 
> [2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:dbg_rw_punival(806)
>           0028 buffer     : D.O.M.A.I.N.
> [2003/10/10 18:30:37, 4]
> rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
>   Found policy hnd[0] [000] 00 00 00 00 02 00 00 00  00 00 00 00 AD DE 86
3F
> ........ ....­Þ.?
>   [010] 56 50 00 00                                       VP..
> [2003/10/10 18:30:37, 5]
> rpc_server/srv_samr_nt.c:access_check_samr_function(106)
>   _samr_lookup_domain: access check ((granted: 0x00000020;  required:
> 0x00000010)
> [2003/10/10 18:30:37, 2]
> rpc_server/srv_samr_nt.c:access_check_samr_function(115)
>   _samr_lookup_domain: ACCESS DENIED (granted: 0x00000020;  required:
> 0x00000010)
> [2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:prs_debug(81)
>   000000 samr_io_r_lookup_domain
> [2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:prs_uint32(634)
>       0000 ptr: 00000000
> [2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:prs_ntstatus(664)
>       0004 status: NT_STATUS_ACCESS_DENIED

This looks like a bug to me - can you file it in bugzilla.samba.org - I
was involved in adding the access controls here, and I know there are
issues - we didn't get all the access masks perfect.

However, even when access is permitted, I'm not sure we serve up all the
right attributes anyway...

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list