[Samba] ACCESS DENIED when trying to log into domain
Ken Miller
klm at shetlandsoftware.com
Wed Jul 7 01:24:46 GMT 2004
I'm in the process of setting up a domain controller (moving from a
workgroup configuration). I've installed the latest version of Samba
(3.0.5), and have configured it to work as a PDC. However, when I try
and connect to the domain, I get an 'Access Denied' message after
entering my userid and password. Here's the snip from the client system
log:
[2004/07/06 12:01:15, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [miller] -> [miller] ->
[miller] succeeded
[2004/07/06 12:01:15, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2477)
Returning domain sid for domain SHETLAND ->
S-1-5-21-194255544-2319376921-1693202501
[2004/07/06 12:01:15, 2]
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
_samr_open_domain: ACCESS DENIED (requested: 0x00000211)
[2004/07/06 12:01:15, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2477)
Returning domain sid for domain SHETLAND ->
S-1-5-21-194255544-2319376921-1693202501
[2004/07/06 12:01:15, 2]
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
_samr_create_user: ACCESS DENIED (granted: 0x00000201; required:
0x00000010)
[2004/07/06 12:01:15, 2] smbd/server.c:exit_server(568)
Closing connections
As you can see, my userid and password are accepted, but something to do
with the domain SID for SHETLAND is causing access to be denied.
I'm really not sure what is causing this problem. I have configured
Samba to act as a domain controller, but that was a few years ago with
Windows NT - things have obviously changed since then :-)
Here's my smb configuration, as returned from testparam:
Load smb config files from /usr/local/samba/lib/smb.conf
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = SHETLAND
log level = 2
log file = /var/log/samba/log.%m
time server = Yes
server signing = Yes
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s
/bin/false -M %u
logon script = logon.bat
logon path = \\%L\profiles\%u\%m
logon drive = H:
logon home = \\%L\%u\.win_profile\%m
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
[netlogon]
path = /usr/local/samba/lib/netlogon
guest ok = Yes
browseable = No
[profiles]
path = /usr/local/samba/lib/profiles
read only = No
create mask = 0600
directory mask = 0700
browseable = No
[homes]
read only = No
browseable = No
I've googled, and have not found any solutions, so I'm tossing out this
query to the list - any suggestions are certainly welcome.
Cheers!
-klm.
More information about the samba
mailing list