[Samba] Samba as a PDC with LDAP and Kerberos

Ti Leggett leggett at ci.uchicago.edu
Thu May 26 14:17:27 GMT 2005

Okee dokee. I've gotten somewhere.

So samba 3.0.11 didn't seem to quite handle privileges all the way. I
upgraded to 3.0.14 and everything is now peachy happy with one small
exception. Before I get to the problem here's what did work:

net -S localhost -Uleggett rpc rights grant "CI\Domain Admins" \
SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege \
SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege

I gave the user's password stored in LDAP and it succeeded. Next I went
to join the machine to the domain. Here's where the problem happened. I
was under the impression that all LDAP activity was done as the user
listed in the "ldap admin dn". However, when I went to join the machine,
let's call it WORKSTATION, it prompted for a domain admin user and
password so I put in leggett's. It tried, but failed (with a new error).
So I looked in the LDAP server's log and, lo and behold, it was trying
to run the add machine script as user leggett (who doesn't have
permission to write to the directory). So I hand added the machine to
the directory and then tried the join again and it worked beautifully.

So, here's my new question (I'm full of em): Are LDAP actions done as
the Samab ldap admin dn or the user doing the action? It appears the
latter is the case.

On Mon, 2005-05-09 at 10:29 -0500, Ti Leggett wrote:
> Unfortunately this still doesn't work. As a note, I thought about this
> and had added the root account to the Domain Admins group.
> On Fri, 2005-05-06 at 17:30 -0400, Josh Kelley wrote:
> > Try doing the "net rpc rights" as a
> > 
> > Ti Leggett wrote:
> > 
> > >However the following fails:
> > >
> > >net -S localhost rpc rights grant "CI\Domain Admins"
> > >SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege
> > >SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
> > >
> > >Reading through the logs, everything appears to be fine until it goes to
> > >assign privileges. Here's a snip from the logs (log level = 10):
> > >  
> > >
> > <snip>
> > 
> > >[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_ntstatus(672)
> > >      0000 status: NT_STATUS_ACCESS_DENIED
> > >
> > >The LDAP logs show everything successful and there's no MODs trying to
> > >occur.
> > >  
> > >
> > Try doing the "net rpc rights grant" as a domain admin ("-U username") 
> > instead of as root.  The Samba HOWTO states, "You must be connected as a 
> > member of the Domain Admins group to be able to grant or revoke 
> > privileges assigned to an account. This capability is inherent to the 
> > Domain Admins group and is not configurable."
> > 
> > Granting rights as root doesn't seem to work.  (At least, it doesn't for 
> > me.)  I don't know if that's intentional or not; the HOWTO also states, 
> > "Access as the root user (UID=0) bypasses all privilege checks," which 
> > seems to contradict the previous statement and seems to imply that not 
> > working for root is a bug.
> > 
> > Josh Kelley
> > //
> > 

More information about the samba mailing list