Craig White wrote:
> You don't give details on your configuration but generally...
>
>A member of 'Domain Admins' (RID 512)
>/etc/smb/smbusers
>root = Administrator administrator etc.
>user with uidnumber of 0
>
>
>Craig
>
Sorry for the delay in response, but I finally got around to checking
this out again today. Any hints you can provide as to why I can't join
the domain as an unprivileged user would be much appreciated.
I'm using samba 3.0.4 from the Debian package archive on Debian Linux.
I have a user set up as a member of the 'Domain Admins' group (name
changed to protect the guilty):
% net user info userfoo
Domain Admins
Domain admins are indeed the '-512' group:
% sudo net groupmap list
Domain Admins (S-1-5-21-4238268982-3733527442-3588021054-512) -> smbadmin
I can mount shares as this user, use smbclient as this user, etc, but
when I try to use this user to join a machine to the domain, I get the
following in the log (at loglevel 2). Joining the domain as root works
fine.:
--------------------------------[snip]-------------------------------
[2004/07/23 19:20:29, 2] smbd/sesssetup.c:setup_new_vc_session(602)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2004/07/23 19:20:29, 2] smbd/sesssetup.c:setup_new_vc_session(602)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2004/07/23 19:20:29, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [userfoo] -> [userfoo]
-> [userfoo] succeeded
[2004/07/23 19:20:29, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2477)
Returning domain sid for domain MYDOMAIN ->
S-1-5-21-4238268982-3733527442-3588021054
[2004/07/23 19:20:29, 2]
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
_samr_open_domain: ACCESS DENIED (requested: 0x00000211)
[2004/07/23 19:20:29, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2477)
Returning domain sid for domain MYDOMAIN ->
S-1-5-21-4238268982-3733527442-3588021054
[2004/07/23 19:20:29, 2]
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
_samr_create_user: ACCESS DENIED (granted: 0x00000201; required:
0x00000010)
[2004/07/23 19:20:29, 2] smbd/server.c:exit_server(568)
Closing connections
[2004/07/23 19:20:30, 2] smbd/server.c:exit_server(568)
Closing connections
[2004/07/23 19:20:30, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [userfoo] -> [userfoo]
-> [userfoo] succeeded
[2004/07/23 19:20:30, 2] smbd/server.c:exit_server(568)
Closing connections
[2004/07/23 19:20:55, 2] smbd/sesssetup.c:setup_new_vc_session(602)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2004/07/23 19:20:55, 2] smbd/sesssetup.c:setup_new_vc_session(602)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
--------------------------------[snip]-------------------------------
FWIW, here is the global section of my smb.conf (some names suitably
changed):
[global]
netbios name = PDCHOST
panic action = /usr/share/samba/panic-action %d
printing = cups
printcap name = cups
load printers = yes
security = user
workgroup = MYDOMAIN
domain logons = yes
server string = %h server (Samba %v)
syslog only = no
syslog = 0;
log level = 2;
log file = /var/log/samba/log.%m
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096
encrypt passwords = true
passdb backend = tdbsam
wins support = yes
os level = 66
domain master = yes
local master = yes
preferred master = yes
name resolve order = lmhosts host wins bcast
dns proxy = yes
preserve case = yes
short preserve case = yes
unix password sync = false
max log size = 1000
obey pam restrictions = no
Again any ideas why I can't join the domain as a non-root user? Let me
know if there's other info that would be helpful.
-- Jeff