[Samba] Samba 3.0.2 and LDAP

Joshua Schmidlkofer menion at asylumwear.com
Tue Jun 8 06:44:31 GMT 2004 

I am getting the following problem when I try to add new machines to the 
LDAP server.

<snip>
[2004/06/07 13:49:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
   init_sam_from_ldap: Entry found for user: administrator
[2004/06/07 13:49:13, 2] passdb/pdb_ldap.c:init_group_from_ldap(1697)
   init_group_from_ldap: Entry found for group: 512
[2004/06/07 13:49:13, 2] passdb/pdb_ldap.c:init_group_from_ldap(1697)
   init_group_from_ldap: Entry found for group: 513
[2004/06/07 13:49:13, 2] auth/auth.c:check_ntlm_password(305)
   check_ntlm_password:  authentication for user [administrator] ->
[administrator] -> [administrator] succeeded
[2004/06/07 13:49:14, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461)
   Returning domain sid for domain MYDOM ->
S-1-5-21-2872XXXXXX-XXXXXXXXX-XXXXXXXXXX
[2004/06/07 13:49:14, 2]
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
   _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
[2004/06/07 13:49:14, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461)
   Returning domain sid for domain MYDOM ->
S-1-5-21-2872XXXXXX-XXXXXXXXX-XXXXXXXXXX
[2004/06/07 13:49:14, 2]
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
   _samr_create_user: ACCESS DENIED (granted: 0x00000201;  required:
0x00000010)
[2004/06/07 13:49:19, 2] smbd/sesssetup.c:setup_new_vc_session(591)
   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2004/06/07 13:49:19, 2] smbd/sesssetup.c:setup_new_vc_session(591)
   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2004/06/07 13:49:19, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
   init_sam_from_ldap: Entry found for user: administrator
[2004/06/07 13:49:20, 2] auth/auth.c:check_ntlm_password(305)
   check_ntlm_password:  authentication for user [administrator] ->
[administrator] -> [administrator] succeeded
</snip>

I am very confused on how to proceed.  net groupmap reveals that Domain 
Admins is mapped to the domadm Ldap Group. [gid=512].   Administrators 
primary group is 512, and that seems to be fine.  We tried several 
people, all w/ the same results.

Why am I getting ACCESS DENIED on the _samr_open_domain_ ?  I don't 
understand that.

Also, the create user fails.   This seems to ignore my add machine 
script entirely.  Did I miss anything in samba setup?

I have searched and searched the archives with the only possible 
explanation found being that my ldap admin had insufficient rights, or 
my user had insufficient rights.    Please help.


AFAIK this worked prior to the last updates.  I am using Fedora Core 1, 
with Samba-3.0.2-6.3 (Actually, now I am not sure about the 6.3).  There 
is an update available, and I am planning on trying that.  However I am 
very beleaguered by this problem.

smb.conf:
[global]
    debug level   = 2
    workgroup     = MYDOM
    server string = SVR1
    netbios name  = SVR1
    add machine script = /usr/sbin/ldapaddmachine.save %m

    printcap name = /etc/printcap
    load printers = yes
    log file      = /var/log/samba/%m.log
    max log size  = 50
    security      = user

   encrypt passwords = yes

   ldap suffix         = o=Myou,c=US
   ldap user suffix    = ou=Users
   ldap group suffix   = ou=Groups
   ;; Work-around re: number failures, and numerous online notes.
   ;; Which is this supposed to be?
   ldap machine suffix = ou=Computers
   ;;ldap machine suffix = ou=Users

   ldap delete dn      = no
   ldap filter         = (&(uid=%u)(objectclass=sambaSamAccount))
   ldap admin dn       = "cn=Manager,o=Myou,c=US"
   ldap ssl            = off
   ldap passwd sync    = yes
   passdb backend      = ldapsam:ldap://localhost
   idmap backend       = ldap:ldap://localhost

   ;; OS-Level incremented from 33 on 2004-06-4 by IMR.
   os level      = 65
   local master  = yes
   domain master = yes
   domain logons = yes
   logon script  = logon.bat
   logon path    = \\%L\Profiles\%U

   preserve case = yes
   short preserve case = yes
   default case = lower
   case sensitive = no
   dns proxy = no

    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

    wins server = 192.168.10.240

<shares removed>






-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba/attachments/20040607/8f3f20aa/signature.bin

More information about the samba mailing list