[Samba] samba-3 problem joining ws to domain

Rauno Tuul rauno.tuul at haigekassa.ee
Thu Sep 11 15:44:22 GMT 2003 

Howdi,

I can't add a w2k workstation to samba3 domain with my username. If I add my
username to "admin users" list, then I can add the box to domain (but
overritten by euid). My goal is, that joining domain can be done without
using "admin users" option.

Groupmapping is done and works. When machine is in domain and log in, I get
full admin rights on that box. Removing the box from domain works anytime.
Error message in windows is: "Logon failure: invalid user name or bad
password".

In log files (debuglevel 10) appear such lines:
...
[2003/09/11 18:09:33, 5] lib/util_seaccess.c:se_access_check(331)
  se_access_check: access (211) denied.
[2003/09/11 18:09:33, 2]
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
  _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
...
[2003/09/11 18:09:33, 5]
rpc_server/srv_samr_nt.c:access_check_samr_function(106)
  _samr_create_user: access check ((granted: 0x00000201;  required:
0x00000010)
[2003/09/11 18:09:33, 2]
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
  _samr_create_user: ACCESS DENIED (granted: 0x00000201;  required:
0x00000010)
...

When user is admin users list, then happens this...
_samr_open_domain: ACCESS should be DENIED  (requested: 0x00000211)
  but overritten by euid == sec_initial_uid()
... after that, access is granted.

Whats wrong? Could someone please say, what is wrong with my setup?

# smb.conf
        passdb backend = ldapsam:ldaps://alfa.sf.lan, guest
        delete user script = /usr/local/sbin/smbldap-userdel.pl %u
        add group script = /usr/local/sbin/smbldap-groupadd.pl %g
        add machine script = /usr/local/sbin/smbldap-computeradd.pl %u
        ldap suffix = dc=ehk,dc=lan
        ldap machine suffix = ou=Computers,dc=ehk,dc=lan,dc=ehk,dc=lan
        ldap user suffix = ou=Users,dc=ehk,dc=lan,dc=ehk,dc=lan
        ldap admin dn = cn=Manager,dc=ehk,dc=lan
        force user = %U
        force group = users

# 
Unix username:        khk_rauno.tuul
User SID:             S-1-5-21-1347305728-752463190-2852647101-3000
Primary Group SID:    S-1-5-21-1347305728-752463190-2852647101-1443

# net groupmap list
Domain Users (S-1-5-21-1347305728-752463190-2852647101-513) -> domain_users
Users (S-1-5-21-1347305728-752463190-2852647101-1443) -> users
Domain Admins (S-1-5-21-1347305728-752463190-2852647101-512) ->
domain_admins
Administrators (S-1-5-21-1347305728-752463190-2852647101-1441) ->
administrators

#
domain_admins:x:200:khk_rauno.tuul
domain_users:x:201:khk_rauno.tuul
administrators:x:220:khk_rauno.tuul
users:x:221:
(these groups are stored in LDAP).

I attached also 2 log files with those messages.

Best regards,

 - Rauno Tuul -
 

-------------- next part --------------
...
[2003/09/11 18:09:33, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(106)
  _samr_open_domain: access check ((granted: 0x00000030;  required: 0x00000020)
[2003/09/11 18:09:33, 10] lib/util_seaccess.c:se_access_check(250)
  se_access_check: requested access 0x00000211, for NT token with 15 entries and first sid S-1-5-21-1347305728-752463190-2852647101-3000.
[2003/09/11 18:09:33, 3] lib/util_seaccess.c:se_access_check(267)
[2003/09/11 18:09:33, 3] lib/util_seaccess.c:se_access_check(268)
  se_access_check: user sid is S-1-5-21-1347305728-752463190-2852647101-3000
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1443
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1427
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1431
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-513
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1447
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1449
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1451
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1407
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1409
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-512
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1441
  se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask = 20385, current desired = 211
  se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask = f07ff, current desired = 10
  se_access_check: ACE 2: type 0, flags = 0x00, SID = S-1-5-32-548 mask = f07ff, current desired = 10
[2003/09/11 18:09:33, 5] lib/util_seaccess.c:se_access_check(331)
  se_access_check: access (211) denied.
[2003/09/11 18:09:33, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93)
  _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
...
[2003/09/11 18:09:33, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(106)
  _samr_create_user: access check ((granted: 0x00000201;  required: 0x00000010)
[2003/09/11 18:09:33, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115)
  _samr_create_user: ACCESS DENIED (granted: 0x00000201;  required: 0x00000010)
[2003/09/11 18:09:33, 5] rpc_parse/parse_prs.c:prs_debug(81)
  000000 samr_io_r_create_user
[2003/09/11 18:09:33, 6] rpc_parse/parse_prs.c:prs_debug(81)
      000000 smb_io_pol_hnd user_pol
[2003/09/11 18:09:33, 5] rpc_parse/parse_prs.c:prs_uint32(634)
          0000 data1: 00000000
[2003/09/11 18:09:33, 5] rpc_parse/parse_prs.c:prs_uint32(634)
          0004 data2: 00000000
[2003/09/11 18:09:33, 5] rpc_parse/parse_prs.c:prs_uint16(605)
          0008 data3: 0000
[2003/09/11 18:09:33, 5] rpc_parse/parse_prs.c:prs_uint16(605)
          000a data4: 0000
[2003/09/11 18:09:33, 5] rpc_parse/parse_prs.c:prs_uint8s(721)
          000c data5: 00 00 00 00 00 00 00 00
[2003/09/11 18:09:33, 5] rpc_parse/parse_prs.c:prs_uint32(634)
      0014 access_granted: 00000000
[2003/09/11 18:09:33, 5] rpc_parse/parse_prs.c:prs_uint32(634)
      0018 user_rid : 00000000
[2003/09/11 18:09:33, 5] rpc_parse/parse_prs.c:prs_ntstatus(664)
      001c status: NT_STATUS_ACCESS_DENIED
...
-------------- next part --------------
...
[2003/09/11 17:46:59, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(106)
  _samr_open_domain: access check ((granted: 0x00000030;  required: 0x00000020)
[2003/09/11 17:46:59, 10] lib/util_seaccess.c:se_access_check(250)
  se_access_check: requested access 0x00000211, for NT token with 15 entries and first sid S-1-5-21-1347305728-752463190-2852647101-3000.
[2003/09/11 17:46:59, 3] lib/util_seaccess.c:se_access_check(267)
[2003/09/11 17:46:59, 3] lib/util_seaccess.c:se_access_check(268)
  se_access_check: user sid is S-1-5-21-1347305728-752463190-2852647101-3000
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1443
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1427
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1431
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-513
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1447
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1449
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1451
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1407
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1409
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-512
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1441
  se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask = 20385, current desired = 211
  se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask = f07ff, current desired = 10
  se_access_check: ACE 2: type 0, flags = 0x00, SID = S-1-5-32-548 mask = f07ff, current desired = 10
[2003/09/11 17:46:59, 5] lib/util_seaccess.c:se_access_check(331)
  se_access_check: access (211) denied.
[2003/09/11 17:46:59, 4] rpc_server/srv_samr_nt.c:access_check_samr_object(87)
  _samr_open_domain: ACCESS should be DENIED  (requested: 0x00000211)
  but overritten by euid == sec_initial_uid()
...
[2003/09/11 17:46:59, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(106)
  _samr_create_user: access check ((granted: 0x00000211;  required: 0x00000010)
[2003/09/11 17:46:59, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 221) : sec_ctx_stack_ndx = 1
[2003/09/11 17:46:59, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2003/09/11 17:46:59, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/09/11 17:46:59, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2003/09/11 17:46:59, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2003/09/11 17:46:59, 2] lib/smbldap.c:smbldap_search_suffix(1068)
  smbldap_search_suffix: searching for:[(&(uid=khk-smb-test$)(objectclass=sambaSamAccount))]
[2003/09/11 17:46:59, 2] passdb/pdb_ldap.c:init_sam_from_ldap(460)
  Entry found for user: khk-smb-test$
...

More information about the samba mailing list