[Samba] privileges in 3.11?

Dmitry Melekhov dm at belkam.com
Mon Feb 7 07:42:35 GMT 2005 

Gerald (Jerry) Carter wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dmitry Melekhov wrote:
>
> | I just checked latest svn with
> | svn co svn://svnanon.samba.org/samba/branches/SAMBA_3_0_RELEASE
> | samba-SAMBA_3_0_RELEASE
> |
> | And I still have the same problem.
> |
> | net  -S dm -U root rpc rights grant  'TEST\dm'  
> SeMachineAccountPrivilege
> | Password:
> | Failed to grant privileges for TEST\dm (NT_STATUS_ACCESS_DENIED)
> |
> | log.smb is attached...
>
>
> Can you send me your smb.conf, the output from `id dm`, the
> output from 'net groupmap list', and the output from 'net getlocalsid'?


I found a reason.
Problem is that I created tdbsam from smbpasswd using pdbedit.
Now I tried to reproduce this and here is pdbedit output:

Processing account root
tdb_update_sam: Failing to store a SAM_ACCOUNT for [root] without a 
primary group RID
pdb_getsampwent


And then I can't modify or add root account with the same result:

tdb_update_sam: Failing to store a SAM_ACCOUNT for [root] without a 
primary group RID


This problem appears only if groupmap to unixgroup exists:

./net groupmap list

Domain Admins (S-1-5-21-2314933419-357499204-1604414191-512) -> root


If I delete this mapping then I can add root account:

Domain Admins (S-1-5-21-1953428550-3027608681-49554636-512) -> -1

Unix username:        root
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1953428550-3027608681-49554636-1000
Primary Group SID:    S-1-5-21-1953428550-3027608681-49554636-1001
Full Name:            root
Home Directory:       \\dm\root
HomeDir Drive:
Logon Script:
Profile Path:         \\dm\root\profile
Domain:               TEST
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Sun, 07 Feb 2106 10:28:15 GMT
Kickoff time:         Sun, 07 Feb 2106 10:28:15 GMT
Password last set:    Mon, 07 Feb 2005 11:25:49 GMT
Password can change:  Mon, 07 Feb 2005 11:25:49 GMT
Password must change: Sun, 07 Feb 2106 10:28:15 GMT
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


Looks like this problem appears if any groupmapping exists.


Then if I add groupmapping all works:

[root at dm bin]# ./net groupmap modify 
sid=S-1-5-21-1953428550-3027608681-49554636-512 unixgroup=root
Updated mapping entry for Domain Admins
[root at dm bin]# ./net rpc rights grant 'TEST\dm' SePrintOperatorPrivilege
Password:
Successfully granted rights.


All this is for 3.0.11.

Looks like this is problem with tdbsam...

I don't know how I created root user in tdbsam before.

More information about the samba mailing list