[Samba] Domain Admin Group privaleges
Greg Kuchyt
kuchyt25 at potsdam.edu
Fri Apr 23 13:52:05 GMT 2004
Using Samba 3.0.2 (specifically the samba-3.0.2-7.FC1 Fedora package)
with LDAP as a passdb backend I'm encountering problems with Domain
Groups. I have come across various postings, some to this list, with
people that are experiencing similar problems. However I have not found
any information as to the cause/solution. The problem is as follows. I
have the following group configurations in LDAP:
Windows Domain accounts:
dn: cn=Domain Guests,ou=Groups,o=potsdam.edu
objectClass: posixGroup
cn: Domain Guests
gidNumber: 1000
dn: cn=Domain Admins,ou=Groups,o=potsdam.edu
objectClass: posixGroup
cn: Domain Admins
gidNumber: 1001
dn: cn=Domain Users,ou=Groups,o=potsdam.edu
objectClass: posixGroup
cn: Domain Users
gidNumber: 1002
Local Unix accounts:
dn: cn=nobody,ou=Groups,o=potsdam.edu
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: nobody
gidNumber: 99
sambaSID: S-1-5-21-688789465-4019127931-1496692998-514
sambaGroupType: 2
displayName: Domain Guests
description: Local Unix group
dn: cn=users,ou=Groups,o=potsdam.edu
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: users
gidNumber: 100
sambaSID: S-1-5-21-688789465-4019127931-1496692998-513
sambaGroupType: 2
displayName: Domain Users
description: Local Unix group
dn: cn=wheel,ou=Groups,o=potsdam.edu
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: wheel
gidNumber: 10
sambaSID: S-1-5-21-688789465-4019127931-1496692998-512
sambaGroupType: 2
displayName: Domain Admins
description: Local Unix group
If the user 'root' is added to samba/ldap and assigned to the "Domain
Admins" domain group, then 'root' is allowed domain administrator access
as it should be. If you create a new user account, say 'blinky', and add
'blinky' to the "Domain Admins" group, 'blinky' does not have full
Domain Admin access. For example, 'blinky' cannot use the "USRMGR.EXE"
administration tool, while root can without any problem. However,
'blinky' CAN remove a machine from the domain, but not add.
I have done a seemingly exhaustive search for information regarding this
problem to find no explicit explanation/solution. Packet captures did
not produce any meaningful information for me personally. The logs have
presented me with rather cryptic leads as to the problem. Googling for
these errors presented me with a few similar cases, but no definite
causes or solutions. Attached below is the output from the logs at debug
levels 2 & 3 as they give different error information.
Log for debug level 2:
[2004/04/22 15:55:58, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
init_sam_from_ldap: Entry found for user: kuchytgj
[2004/04/22 15:55:58, 2] passdb/pdb_ldap.c:init_group_from_ldap(1697)
init_group_from_ldap: Entry found for group: 10
[2004/04/22 15:55:58, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [kuchytgj] -> [kuchytgj]
-> [kuchytgj] succeeded
[2004/04/22 15:55:58, 2] lib/access.c:check_access(324)
Allowed connection from (137.143.98.202)
[2004/04/22 15:55:59, 2] smbd/server.c:exit_server(558)
Closing connections
[2004/04/22 15:55:59, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
init_sam_from_ldap: Entry found for user: kuchytgj
[2004/04/22 15:55:59, 2] passdb/pdb_ldap.c:init_group_from_ldap(1697)
init_group_from_ldap: Entry found for group: 10
[2004/04/22 15:55:59, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [kuchytgj] -> [kuchytgj]
-> [kuchytgj] succeeded
[2004/04/22 15:55:59, 2] lib/access.c:check_access(324)
Allowed connection from (137.143.98.202)
[2004/04/22 15:55:59, 2]
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461)
Returning domain sid for domain DEVPOTSDAM ->
S-1-5-21-688789465-4019127931-1496692998
[2004/04/22 15:55:59, 2]
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
_samr_open_domain: ACCESS DENIED (requested: 0x00000211)
[2004/04/22 15:55:59, 2]
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461)
Returning domain sid for domain DEVPOTSDAM ->
S-1-5-21-688789465-4019127931-1496692998
[2004/04/22 15:55:59, 2]
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
_samr_create_user: ACCESS DENIED (granted: 0x00000201; required:
0x00000010)
[2004/04/22 15:56:00, 2] smbd/server.c:exit_server(558)
Log for debug level 3:
[2004/04/22 15:43:11, 3] smbd/reply.c:reply_ulogoffX(1108)
ulogoffX vuid=100
[2004/04/22 15:43:11, 3] smbd/process.c:process_smb(890)
Transaction 41 of length 39
[2004/04/22 15:43:11, 3] smbd/process.c:switch_message(685)
switch message SMBtdis (pid 13906)
[2004/04/22 15:43:11, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/22 15:43:11, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/22 15:43:11, 3] smbd/service.c:close_cnum(887)
dun210-12239 (137.143.98.202) closed connection to service IPC$
[2004/04/22 15:43:11, 3] smbd/connection.c:yield_connection(69)
Yielding connection to IPC$
[2004/04/22 15:43:11, 4] smbd/vfs.c:vfs_ChDir(654)
vfs_ChDir to /
[2004/04/22 15:43:11, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/22 15:43:11, 3] smbd/process.c:timeout_processing(1104)
timeout_processing: End of file from client (client has disconnected).
[2004/04/22 15:43:11, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/22 15:43:11, 2] smbd/server.c:exit_server(558)
Closing connections
[2004/04/22 15:43:11, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2004/04/22 15:43:11, 3] smbd/connection.c:yield_connection(76)
yield_connection: tdb_delete for name failed with error Record does
not exist.
[2004/04/22 15:43:11, 3] smbd/server.c:exit_server(601)
Server exit (normal exit)
I am not ruling out that the groups maybe mis-configured. I have
encountered much debate/confusion regarding the proper set up of Domain
to local group mapping in LDAP. Thank you in advance for your time, and
any help you are able to provide.
--
Greg
More information about the samba
mailing list