[Samba] failure access check -> mask (was: Unable to get default yp domain)

Thomas Besser thomas.besser at archIT.uni-karlsruhe.de
Tue Dec 12 10:21:38 GMT 2006 

Thomas Besser wrote:
> running here samba-ldap-pdc (debian sarge, samba 3.0.14a-3sarge, cups).
> Domain users can delete their own print jobs. But they should also be able
> to delete print jobs of other domain users. But this does not work,
> because of access problems.
> 
> net groupmap list
> Domain Users (S-1-5-21-2984023303-172644929-1026171850-1222) -> archi
> Domain Admins (S-1-5-21-2984023303-172644929-1026171850-512) -> admin
> 
> Over winxp (network environment -> server -> printers -> access) I
> arranged that for the group 'domain users' print job management is
> allowed.
> 
> But deleting occurs access denied. Here is the log file:
> 
> [2006/12/11 13:26:43, 3] lib/util_seaccess.c:se_access_check(252)
>   se_access_check: user sid is S-1-5-21-2984023303-172644929-10261718
> 50-3012
>   se_access_check: also S-1-5-21-2984023303-172644929-1026171850-1222
>   se_access_check: also S-1-1-0
>   se_access_check: also S-1-5-2
>   se_access_check: also S-1-5-11
>   se_access_check: also S-1-5-21-2984023303-172644929-1026171850-513
> [2006/12/11 13:26:43, 5] lib/util_seaccess.c:se_access_check(315)
>   se_access_check: access (f000c) denied.
> [2006/12/11 13:26:43, 4] printing/nt_printing.c:print_access_check(51
> 75)
>   access check was FAILURE

Here a more detailed log (loglevel 10) of the same problem:

[2006/12/11 15:40:06, 10] lib/util_seaccess.c:se_access_check(234)
  se_access_check: requested access 0x000f000c, for NT token with 5 entries
and first sid S-1-5-21-2984023303-172644929-102617185
0-3012.
[2006/12/11 15:40:06, 3] lib/util_seaccess.c:se_access_check(251)
[2006/12/11 15:40:06, 3] lib/util_seaccess.c:se_access_check(252)
  se_access_check: user sid is S-1-5-21-2984023303-172644929-1026171850-3012
  se_access_check: also S-1-5-21-2984023303-172644929-1026171850-1222
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: ACE 0: type 0, flags = 0x00, SID =
S-1-5-21-2984023303-172644929-1026171850-500 mask = f000c, current desired
= f000c
  se_access_check: ACE 1: type 0, flags = 0x09, SID =
S-1-5-21-2984023303-172644929-1026171850-500 mask = f0030, current desired
= f000c
  se_access_check: ACE 2: type 0, flags = 0x00, SID =
S-1-5-21-2984023303-172644929-1026171850-512 mask = f000c, current desired
= f000c
  se_access_check: ACE 3: type 0, flags = 0x09, SID =
S-1-5-21-2984023303-172644929-1026171850-512 mask = f0030, current desired
= f000c
  se_access_check: ACE 4: type 0, flags = 0x00, SID =
S-1-5-21-2984023303-172644929-1026171850-1222 mask = 20008, current desired
 = f000c
  se_access_check: ACE 5: type 0, flags = 0x0a, SID =
S-1-5-21-2984023303-172644929-1026171850-1222 mask = 20000, current desired
 = d0004
  se_access_check: ACE 6: type 0, flags = 0x09, SID =
S-1-5-21-2984023303-172644929-1026171850-1222 mask = f0030, current desired
 = d0004
  se_access_check: ACE 7: type 0, flags = 0x00, SID = S-1-1-0 mask = 20008,
current desired = d0004
  se_access_check: ACE 8: type 0, flags = 0x0a, SID = S-1-1-0 mask = 20000,
current desired = d0004
  se_access_check: ACE 9: type 0, flags = 0x09, SID = S-1-1-0 mask = f0030,
current desired = d0004
[2006/12/11 15:40:06, 5] lib/util_seaccess.c:se_access_check(315)
  se_access_check: access (f000c) denied.
[2006/12/11 15:40:06, 4] printing/nt_printing.c:print_access_check(5175)
  access check was FAILURE

Does anyone know the meaning of this masks? 

Especially according of the SID ending with 1222, because thats the group in
which one user should have the possibility to delete the print job of
another.

Regards.
Thomas

More information about the samba mailing list