[Samba] ACCESS DENIED when trying to log into domain

Ken Miller klm at shetlandsoftware.com
Wed Jul 7 01:24:46 GMT 2004


I'm in the process of setting up a domain controller (moving from a 
workgroup configuration).  I've installed the latest version of Samba 
(3.0.5), and have configured it to work as a PDC.  However, when I try 
and connect to the domain, I get an 'Access Denied' message after 
entering my userid and password.  Here's the snip from the client system 
log:

[2004/07/06 12:01:15, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [miller] -> [miller] -> 
[miller] succeeded
[2004/07/06 12:01:15, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2477)
  Returning domain sid for domain SHETLAND -> 
S-1-5-21-194255544-2319376921-1693202501
[2004/07/06 12:01:15, 2] 
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
  _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
[2004/07/06 12:01:15, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2477)
  Returning domain sid for domain SHETLAND -> 
S-1-5-21-194255544-2319376921-1693202501
[2004/07/06 12:01:15, 2] 
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
  _samr_create_user: ACCESS DENIED (granted: 0x00000201;  required: 
0x00000010)
[2004/07/06 12:01:15, 2] smbd/server.c:exit_server(568)
  Closing connections

As you can see, my userid and password are accepted, but something to do 
with the domain SID for SHETLAND is causing access to be denied. 

I'm really not sure what is causing this problem.  I have configured 
Samba to act as a domain controller, but that was a few years ago with 
Windows NT - things have obviously changed since then :-)

Here's my smb configuration, as returned from testparam:

Load smb config files from /usr/local/samba/lib/smb.conf
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

# Global parameters
[global]
        workgroup = SHETLAND
        log level = 2
        log file = /var/log/samba/log.%m
        time server = Yes
        server signing = Yes
        add user script = /usr/sbin/useradd -d /dev/null -g 100 -s 
/bin/false -M %u
        logon script = logon.bat
        logon path = \\%L\profiles\%u\%m
        logon drive = H:
        logon home = \\%L\%u\.win_profile\%m
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes

[netlogon]
        path = /usr/local/samba/lib/netlogon
        guest ok = Yes
        browseable = No

[profiles]
        path = /usr/local/samba/lib/profiles
        read only = No
        create mask = 0600
        directory mask = 0700
        browseable = No

[homes]
        read only = No
        browseable = No

I've googled, and have not found any solutions, so I'm tossing out this 
query to the list - any suggestions are certainly welcome.

Cheers!

    -klm.





More information about the samba mailing list