[Samba] Problems to samba 3.0.11

[Sergey Loskutov]

Hello!

I'm installed samba-3.0.11  and property configured for work with LDAP,
it's work fine for me, but  i have small problems with security and 
management users!

Important parameters my samba config

[global]
log level = 10
security = user
domain master = yes
domain logons = yes
enable privileges = Yes
workgroup = HOME
netbios name = A
delete user script = /opt/IDEALX/sbin/smbldap-userdel -k -r "%u"
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u
add group script = /opt/IDEALX/sbin/smbldap-groupadd -a -p "%g"
delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"

For explanations my problems, i have next settings.

Machine "A" is PDC domain "HOME"
Machine "B" is not member domain "HOME", member in workgroup "REMOTE"
Machine "C" is member domain "HOME"

Account:    Administrator member in "Domain Admins"
Account:   nobody member in "Domain Guests"

net rpc say:
linux:/etc/samba # net -U Administrator rpc rights list 'HOME\Administrator'
Password:
SeMachineAccountPrivilege
SeAddUsersPrivilege
linux:/etc/samba #
linux:/etc/samba # net -U Administrator rpc rights list 'HOME\nobody'
Password:
linux:/etc/samba #

User Administrator  UID: 512   ( i'm read post before and "Samba members" 
say  "You don't need any more have uid: 0  ... use privileges" ;) )
User nobody  UID:

I'm use tools  usrmgr.exe and srvmgr.exe

Enter from "C" to domain "HOME" ... OK
Create user  in default group "Domain Users"  ... OK
Add machine to domain ........ OK

Problem 1.

>From machine "B" launch tools srvmgr.exe and select domain "HOME".
Domain "HOME" not trust workgroup "REMOTE" and i'm enter to domain "HOME" as 
nobody
Try add machine "INTRUDER" to domain "HOME" and have message "Access 
denied".

I parse debug message ......  and has got problems ...

Step1
samba added machine "INTRUDER" added to ldap through "add machine script", 
but not set samba attributes to this machine account
Step2
Samba check privileges to user nobody and send message access denied to 
remote host

Why ?????
Any users not member in my domain "HOME", in my ldap server creates any 
"machine account" and .... o my god !!!! my database is big very big : )))

Problem 2.

Launch tools usrmgr.exe
Try create user
Username:  "John".  Select to group button.  User by default in member to 
"Domain  Users"
Added group "Domain Admins" press ok  and next ok ... user is create ..... 
it's greet!

Select propertes user "John" and press again button group. Select group 
"Domain Admins"  and press "set primary group", next remove member in 
"Domain Users"
And press to OK
Devil :(
I'm have error "Access denied"
Why ??? Again parse debug message
1) Samba set for user "john" primary group "Domain Admins"
2) Samba try to remove user "john" from group "Domain Users", but  samba say 
"User 'Jonh' have primary group 'Domain Users'" and generate message "Access 
denied"

Script IDEALX have incorrect code in set "smbldap-usermod -g ". We MUST  set 
primary group, but before user MUST be member to "old primary group" ... 
script IDEALX
not do it this..

Problem 3.
User Administrator have privileges 'SeAddUsersPrivilege'.... look up :)
Try create group ...
Group name:  "Internet Access"
Member in:   Administrator,John
Press button OK

Devil again :(
Have message "Access Denied"
1) Samba call script  "add group script" group is create
2) Samba try append samba parameters to group "Internet Access" and say
"_samr_set_groupinfo: access check ((granted: 0000000000;  required: 
0x00000002)
 _samr_set_groupinfo: ACCESS DENIED (granted: 0000000000;  required: 
0x00000002)"

Please fixed samba-3.0.11 or explain what is wrong ???

Analysis code 3.0.11 say me ... is bad very bad ....

Best regards,
Senior engineer of network department MTCES the Magadan.
Loskutov Sergey
mailto:cyrat at tts.magadan.su
phone. +7 90250 82016, +7 41322 27150