[Samba] Problems with Privileges

Harry Jede walk2sun at arcor.de
Wed Dec 31 17:08:37 GMT 2008 

Hi all,
I am using samba 3.2.6 on Debian lenny

I can create user and groups with the UserManger for NT. It is also possible to add users to groups.

But if I then try to open the group again with the UserManger for NT, I get an ACCESS DENIED ERROR.


However the user has all rights, which I am able to set:
 net rpc rights list ytom SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

 tail -f /var/log/samba/log.ytom

[2008/12/31 17:42:54,  2] rpc_server/srv_samr_nt.c:_samr_LookupDomain(3571)
  Returning domain sid for domain SCHULE -> S-1-5-21-2462391502-1360153102-2655098952

[2008/12/31 17:42:54,  2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
  init_group_from_ldap: Entry found for group: 9018
[2008/12/31 17:42:54,  2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
  init_group_from_ldap: Entry found for group: 9018
[2008/12/31 17:42:54,  2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
  init_group_from_ldap: Entry found for group: 9018

[2008/12/31 17:42:55,  2] rpc_server/srv_samr_nt.c:access_check_samr_function(246)
  _samr__LookupRids: ACCESS DENIED (granted: 0x000d067a;  required: 0x00000100)


cat /etc/samba/smb.conf
[global]
        unix charset = LOCALE
        workgroup = SCHULE
        netbios name = SERVER-1
        server string = %h server
        interfaces = 192.168.231.48/24, 127.0.0.1/8
        bind interfaces only = Yes
        security = user
        name resolve order = wins bcast host
        passdb backend = ldapsam
        lanman auth = Yes
        syslog = 0
        max log size = 1000
        log level = 2
        log file = /var/log/samba/log.%m
        log file = /var/log/samba/log.%U

        add user script = /usr/sbin/smbldap-useradd -m "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add group script = /usr/sbin/smbldap-groupadd -p -a "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"

        logon script = logon.bat
        logon drive = L:
        logon path = \\%L\Profiles\%U
        logon home = \\%L\%U
        domain logons = Yes
        domain master = Yes
        local master = yes
        preferred master =yes
        os level = 254
        wins support = Yes
        ldap admin dn = cn=admin,dc=schule,dc=xx
        ldap delete dn = Yes
        ldap machine suffix = ou=ARBEITSSTATIONEN,o=SCHULE
        ldap passwd sync = Yes
        ldap suffix = dc=schule,dc=xx
        ldap debug level = 160
        panic action = /usr/share/samba/panic-action %d
        template shell = /bin/bash
        template homedir = /home/%g/%U
        ea support = Yes
        store dos attributes = Yes
[IPC$]
  path = /var/log/samba/tmp
[homes]
        comment = Home Directories
        read only = No
        create mask = 0755
        browseable = No
[Profiles]
        path = /home/samba/Profiles
        create mask = 0600
        directory mask = 0700
        nt acl support = no
        read only = no
[netlogon]
        comment = Network Logon Service
        path = /home/samba/netlogon
        admin users = @domainadmins
        guest ok = Yes
        read only = Yes

-- 

Gruss
	Harry Jede

More information about the samba mailing list