[Samba] privileges in 3.11?
Dmitry Melekhov
dm at belkam.com
Mon Feb 7 07:42:35 GMT 2005
Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dmitry Melekhov wrote:
>
> | I just checked latest svn with
> | svn co svn://svnanon.samba.org/samba/branches/SAMBA_3_0_RELEASE
> | samba-SAMBA_3_0_RELEASE
> |
> | And I still have the same problem.
> |
> | net -S dm -U root rpc rights grant 'TEST\dm'
> SeMachineAccountPrivilege
> | Password:
> | Failed to grant privileges for TEST\dm (NT_STATUS_ACCESS_DENIED)
> |
> | log.smb is attached...
>
>
> Can you send me your smb.conf, the output from `id dm`, the
> output from 'net groupmap list', and the output from 'net getlocalsid'?
I found a reason.
Problem is that I created tdbsam from smbpasswd using pdbedit.
Now I tried to reproduce this and here is pdbedit output:
Processing account root
tdb_update_sam: Failing to store a SAM_ACCOUNT for [root] without a
primary group RID
pdb_getsampwent
And then I can't modify or add root account with the same result:
tdb_update_sam: Failing to store a SAM_ACCOUNT for [root] without a
primary group RID
This problem appears only if groupmap to unixgroup exists:
./net groupmap list
Domain Admins (S-1-5-21-2314933419-357499204-1604414191-512) -> root
If I delete this mapping then I can add root account:
Domain Admins (S-1-5-21-1953428550-3027608681-49554636-512) -> -1
Unix username: root
NT username:
Account Flags: [U ]
User SID: S-1-5-21-1953428550-3027608681-49554636-1000
Primary Group SID: S-1-5-21-1953428550-3027608681-49554636-1001
Full Name: root
Home Directory: \\dm\root
HomeDir Drive:
Logon Script:
Profile Path: \\dm\root\profile
Domain: TEST
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Sun, 07 Feb 2106 10:28:15 GMT
Kickoff time: Sun, 07 Feb 2106 10:28:15 GMT
Password last set: Mon, 07 Feb 2005 11:25:49 GMT
Password can change: Mon, 07 Feb 2005 11:25:49 GMT
Password must change: Sun, 07 Feb 2106 10:28:15 GMT
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Looks like this problem appears if any groupmapping exists.
Then if I add groupmapping all works:
[root at dm bin]# ./net groupmap modify
sid=S-1-5-21-1953428550-3027608681-49554636-512 unixgroup=root
Updated mapping entry for Domain Admins
[root at dm bin]# ./net rpc rights grant 'TEST\dm' SePrintOperatorPrivilege
Password:
Successfully granted rights.
All this is for 3.0.11.
Looks like this is problem with tdbsam...
I don't know how I created root user in tdbsam before.
More information about the samba
mailing list