[Samba] LDAP - _samr_open_domain: ACCESS DENIED

Erik Holst Trans eht at it-trans.dk
Tue Jan 27 20:12:14 GMT 2004 

Hi,

I am trying to get samba running with LDAP password backend, but having 
some trouble with the rights.

Dist. : SuSE 9.0
LDAP: OpenLDAP 2.1.22
Samba: 3.0.1

It work's great when i login in for a Win98 box, but when i try to 
import a WinXP box i get the following in my log file.

//--snip--
[2004/01/27 20:36:25, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [administrator] -> 
[administrator] -> [Administrator] succeeded
[2004/01/27 20:36:25, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461)
  Returning domain sid for domain IT-TRANS -> 
S-1-5-21-3079347702-147214601-1898991890
[2004/01/27 20:36:25, 2] 
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
  _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
[2004/01/27 20:36:25, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461)
  Returning domain sid for domain IT-TRANS -> 
S-1-5-21-3079347702-147214601-1898991890
[2004/01/27 20:36:25, 2] 
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
  _samr_create_user: ACCESS DENIED (granted: 0x00000201;  required: 
0x00000010)
[2004/01/27 20:36:25, 2] smbd/server.c:exit_server(558)
  Closing connections
//--snip--

I suppose my problem is in the groupmapping's. ?
My current mappings are like below:

Domain Admins (S-1-5-21-3079347702-147214601-1898991890-512) -> Domain 
Admins
Domain Users (S-1-5-21-3079347702-147214601-1898991890-513) -> Domain Users
Domain Guests (S-1-5-21-3079347702-147214601-1898991890-514) -> Domain 
Guests
Administrators (S-1-5-21-3079347702-147214601-1898991890-544) -> 
Administrators
users (S-1-5-21-3079347702-147214601-1898991890-545) -> Users
Guests (S-1-5-21-3079347702-147214601-1898991890-546) -> Guests
Power Users (S-1-5-21-3079347702-147214601-1898991890-547) -> Power Users
Account Operators (S-1-5-21-3079347702-147214601-1898991890-548) -> 
Account Operators
Server Operators (S-1-5-21-3079347702-147214601-1898991890-549) -> 
Server Operators
Print Operators (S-1-5-21-3079347702-147214601-1898991890-550) -> Print 
Operators
Backup Operators (S-1-5-21-3079347702-147214601-1898991890-551) -> 
Backup Operators
Replicator (S-1-5-21-3079347702-147214601-1898991890-552) -> Replicator
Domain Computers (S-1-5-21-3079347702-147214601-1898991890-553) -> 
Domain Computers

This is the default after running "smbldap-populate.pl" from the ldap-tools.
 From the documentation, the "Domain Admins" have to be mapped to 
unixgroup=root or another group with gidnumber=0 (Right ?)
Now, executing "net groupmap modify ntgroup="Domain Admins" 
unixgroup=root type=domain" is succesfull, but the mappings don't change
"Domain Admins" is stille pointing at "Domain Admins" ?

I also tried to create a posix group in LDAP with gidnumber=0, and made 
a mapping from the "Domain Admins" but the mapping still don't change.


Could some one kindly point me in the right direction.

Thanks.


Best regards
Erik

More information about the samba mailing list