[Samba] LDAP - _samr_open_domain: ACCESS DENIED
Erik Holst Trans
eht at it-trans.dk
Tue Jan 27 20:12:14 GMT 2004
Hi,
I am trying to get samba running with LDAP password backend, but having
some trouble with the rights.
Dist. : SuSE 9.0
LDAP: OpenLDAP 2.1.22
Samba: 3.0.1
It work's great when i login in for a Win98 box, but when i try to
import a WinXP box i get the following in my log file.
//--snip--
[2004/01/27 20:36:25, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [administrator] ->
[administrator] -> [Administrator] succeeded
[2004/01/27 20:36:25, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461)
Returning domain sid for domain IT-TRANS ->
S-1-5-21-3079347702-147214601-1898991890
[2004/01/27 20:36:25, 2]
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
_samr_open_domain: ACCESS DENIED (requested: 0x00000211)
[2004/01/27 20:36:25, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461)
Returning domain sid for domain IT-TRANS ->
S-1-5-21-3079347702-147214601-1898991890
[2004/01/27 20:36:25, 2]
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
_samr_create_user: ACCESS DENIED (granted: 0x00000201; required:
0x00000010)
[2004/01/27 20:36:25, 2] smbd/server.c:exit_server(558)
Closing connections
//--snip--
I suppose my problem is in the groupmapping's. ?
My current mappings are like below:
Domain Admins (S-1-5-21-3079347702-147214601-1898991890-512) -> Domain
Admins
Domain Users (S-1-5-21-3079347702-147214601-1898991890-513) -> Domain Users
Domain Guests (S-1-5-21-3079347702-147214601-1898991890-514) -> Domain
Guests
Administrators (S-1-5-21-3079347702-147214601-1898991890-544) ->
Administrators
users (S-1-5-21-3079347702-147214601-1898991890-545) -> Users
Guests (S-1-5-21-3079347702-147214601-1898991890-546) -> Guests
Power Users (S-1-5-21-3079347702-147214601-1898991890-547) -> Power Users
Account Operators (S-1-5-21-3079347702-147214601-1898991890-548) ->
Account Operators
Server Operators (S-1-5-21-3079347702-147214601-1898991890-549) ->
Server Operators
Print Operators (S-1-5-21-3079347702-147214601-1898991890-550) -> Print
Operators
Backup Operators (S-1-5-21-3079347702-147214601-1898991890-551) ->
Backup Operators
Replicator (S-1-5-21-3079347702-147214601-1898991890-552) -> Replicator
Domain Computers (S-1-5-21-3079347702-147214601-1898991890-553) ->
Domain Computers
This is the default after running "smbldap-populate.pl" from the ldap-tools.
From the documentation, the "Domain Admins" have to be mapped to
unixgroup=root or another group with gidnumber=0 (Right ?)
Now, executing "net groupmap modify ntgroup="Domain Admins"
unixgroup=root type=domain" is succesfull, but the mappings don't change
"Domain Admins" is stille pointing at "Domain Admins" ?
I also tried to create a posix group in LDAP with gidnumber=0, and made
a mapping from the "Domain Admins" but the mapping still don't change.
Could some one kindly point me in the right direction.
Thanks.
Best regards
Erik
More information about the samba
mailing list