[Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED
John H Terpstra
jht at samba.org
Mon Aug 25 14:18:41 GMT 2008
On Monday 25 August 2008 08:56:23 Duncan Brannen wrote:
> Hi All,
> I'm trying to add a user to a group using
>
> /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password
>
> The user is added to the group as far as I can tell but the command
> returns NT_STATUS_ACCESS_DENIED
>
> This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both
> configured to lookup users and groups in LDAP.
>
> /usr/local/samba/bin/net rpc group members room11 -Uroot%password
> CROOMTEST\dunk
>
> Trying to remove the user from the group returns
> NT_STATUS_MEMBER_NOT_IN_GROUP and the user
> is not removed from the group in LDAP (running smbldap-groupmod manually
> removes the user from LDAP)
>
> In smb.conf, I have
> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
> "%g"
>
> With log level set to 10 I see the following for the add that may or may
> not be relevant.
>
> Should the access check granted and required values be equal?
>
> [2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297)
> api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER
> [2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323)
> api_rpc_cmds[22].fn == 200be4
> samr_AddGroupMember: struct samr_AddGroupMember
> in: struct samr_AddGroupMember
> group_handle : *
> group_handle: struct policy_handle
> handle_type : 0x00000000 (0)
> uuid :
> 05000000-0000-0000-b248-b49e90510000
> rid : 0x00000bb8 (3000)
> flags : 0x00000005 (5)
> [2008/08/25 12:59:48, 4]
> rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168)
> Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48
> B4 9E ........ .....H..
> [010] 90 51 00 00 .Q..
> [2008/08/25 12:59:48, 5]
> rpc_server/srv_samr_nt.c:access_check_samr_function(227)
> _samr_AddGroupMember: access check ((granted: 00000f001f; required:
> 0000000004)
> [2008/08/25 12:59:48, 10]
> rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651)
> sid is S-1-5-21-440367617-1876916578-3462541782-3003
> [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132)
> get_domain_group_from_sid
>
> ...
>
> [2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352)
> smb_add_user_group: Running the command
> `/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"' gave 0
> [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122)
> sys_getgrouplist: user [dunk]
> [2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> ...
> [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170)
> LEGACY: gid 512 -> sid S-1-5-21-440367617-1876916578-3462541782-512
> samr_AddGroupMember: struct samr_AddGroupMember
> out: struct samr_AddGroupMember
> result : NT_STATUS_ACCESS_DENIED
>
> For delmem I again get the same access check granted value
> _samr_DeleteGroupMember: access check ((granted: 00000f001f;
> required: 0000000008)
> then
> Get_Pwnam_internals did find user [dunk]!
> [2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213)
> LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 -> uid 1000
> samr_DeleteGroupMember: struct samr_DeleteGroupMember
> out: struct samr_DeleteGroupMember
> result : NT_STATUS_MEMBER_NOT_IN_GROUP
>
>
> Any thoughts or pointers as to where I should be looking?
Have you tried to execute this script manually?
Example:
smbldap-useradd -G new_group user_name
If that works, check that you gave Samba permission to update the LDAP
directory. Did you execute the following?:
smbpasswd -w LDAP_Secret_Password
also, check that the user you are using to do this, and/or the group that user
belongs to, has the rights and privileges needed to do this:
net rpc rights list accounts -Uroot%password
- John T.
--
John H Terpstra
"Don't do as I do; Show me better!" - Anonymous.
More information about the samba
mailing list