[Samba] net rpc file checks in 3.5.x

Michal Soltys soltys at ziu.info
Wed Jun 30 10:48:22 MDT 2010

When doing simple:

net rpc file -Untadmin

With ntadmin being a user belonging to properly groupmapped domain admins,
 (with rid 512), including cases with ntadmin being rid=500 itself, 
I always get:

[2010/06/30 15:06:46.272578,  2] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  authentication for user [ntadmin] -> [ntadmin] -> [ntadmin] succeeded
[2010/06/30 15:06:46.276232,  1] rpc_server/srv_srvsvc_nt.c:1039(_srvsvc_NetFileEnum)
  Enumerating files only allowed for administrators

I've peeked into srv_srvsvc_nt.c and the main difference from earlier 
samba versions (in the function mentioned in logs) is the addition 
of the following check:

        if (!nt_token_check_sid(&global_sid_Builtin_Administrators,
                                p->server_info->ptok)) {
                DEBUG(1, ("Enumerating files only allowed for "
                return WERR_ACCESS_DENIED;

Judging from variables' names it checks if a user belongs to builtin group. Assuming 
this kind of check is intended in this place - how to actually make [functionally 
working] builtin group ? groupmap allows mapping to local and builtins groups, and 
I've also tested some net rpc group variations - but so far to no actual effect. 

More information about the samba mailing list