[Samba] failure access check -> mask (was: Unable to get default yp
domain)
Thomas Besser
thomas.besser at archIT.uni-karlsruhe.de
Tue Dec 12 10:21:38 GMT 2006
Thomas Besser wrote:
> running here samba-ldap-pdc (debian sarge, samba 3.0.14a-3sarge, cups).
> Domain users can delete their own print jobs. But they should also be able
> to delete print jobs of other domain users. But this does not work,
> because of access problems.
>
> net groupmap list
> Domain Users (S-1-5-21-2984023303-172644929-1026171850-1222) -> archi
> Domain Admins (S-1-5-21-2984023303-172644929-1026171850-512) -> admin
>
> Over winxp (network environment -> server -> printers -> access) I
> arranged that for the group 'domain users' print job management is
> allowed.
>
> But deleting occurs access denied. Here is the log file:
>
> [2006/12/11 13:26:43, 3] lib/util_seaccess.c:se_access_check(252)
> se_access_check: user sid is S-1-5-21-2984023303-172644929-10261718
> 50-3012
> se_access_check: also S-1-5-21-2984023303-172644929-1026171850-1222
> se_access_check: also S-1-1-0
> se_access_check: also S-1-5-2
> se_access_check: also S-1-5-11
> se_access_check: also S-1-5-21-2984023303-172644929-1026171850-513
> [2006/12/11 13:26:43, 5] lib/util_seaccess.c:se_access_check(315)
> se_access_check: access (f000c) denied.
> [2006/12/11 13:26:43, 4] printing/nt_printing.c:print_access_check(51
> 75)
> access check was FAILURE
Here a more detailed log (loglevel 10) of the same problem:
[2006/12/11 15:40:06, 10] lib/util_seaccess.c:se_access_check(234)
se_access_check: requested access 0x000f000c, for NT token with 5 entries
and first sid S-1-5-21-2984023303-172644929-102617185
0-3012.
[2006/12/11 15:40:06, 3] lib/util_seaccess.c:se_access_check(251)
[2006/12/11 15:40:06, 3] lib/util_seaccess.c:se_access_check(252)
se_access_check: user sid is S-1-5-21-2984023303-172644929-1026171850-3012
se_access_check: also S-1-5-21-2984023303-172644929-1026171850-1222
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: ACE 0: type 0, flags = 0x00, SID =
S-1-5-21-2984023303-172644929-1026171850-500 mask = f000c, current desired
= f000c
se_access_check: ACE 1: type 0, flags = 0x09, SID =
S-1-5-21-2984023303-172644929-1026171850-500 mask = f0030, current desired
= f000c
se_access_check: ACE 2: type 0, flags = 0x00, SID =
S-1-5-21-2984023303-172644929-1026171850-512 mask = f000c, current desired
= f000c
se_access_check: ACE 3: type 0, flags = 0x09, SID =
S-1-5-21-2984023303-172644929-1026171850-512 mask = f0030, current desired
= f000c
se_access_check: ACE 4: type 0, flags = 0x00, SID =
S-1-5-21-2984023303-172644929-1026171850-1222 mask = 20008, current desired
= f000c
se_access_check: ACE 5: type 0, flags = 0x0a, SID =
S-1-5-21-2984023303-172644929-1026171850-1222 mask = 20000, current desired
= d0004
se_access_check: ACE 6: type 0, flags = 0x09, SID =
S-1-5-21-2984023303-172644929-1026171850-1222 mask = f0030, current desired
= d0004
se_access_check: ACE 7: type 0, flags = 0x00, SID = S-1-1-0 mask = 20008,
current desired = d0004
se_access_check: ACE 8: type 0, flags = 0x0a, SID = S-1-1-0 mask = 20000,
current desired = d0004
se_access_check: ACE 9: type 0, flags = 0x09, SID = S-1-1-0 mask = f0030,
current desired = d0004
[2006/12/11 15:40:06, 5] lib/util_seaccess.c:se_access_check(315)
se_access_check: access (f000c) denied.
[2006/12/11 15:40:06, 4] printing/nt_printing.c:print_access_check(5175)
access check was FAILURE
Does anyone know the meaning of this masks?
Especially according of the SID ending with 1222, because thats the group in
which one user should have the possibility to delete the print job of
another.
Regards.
Thomas
More information about the samba
mailing list