samba - Jul 2004 - ACCESS DENIED when trying to log into domain

I'm in the process of setting up a domain controller (moving from a 
workgroup configuration).  I've installed the latest version of Samba 
(3.0.5), and have configured it to work as a PDC.  However, when I try 
and connect to the domain, I get an 'Access Denied' message after 
entering my userid and password.  Here's the snip from the client system 
log:

[2004/07/06 12:01:15, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [miller] -> [miller] -> 
[miller] succeeded
[2004/07/06 12:01:15, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2477)
  Returning domain sid for domain SHETLAND -> 
S-1-5-21-194255544-2319376921-1693202501
[2004/07/06 12:01:15, 2] 
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
  _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
[2004/07/06 12:01:15, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2477)
  Returning domain sid for domain SHETLAND -> 
S-1-5-21-194255544-2319376921-1693202501
[2004/07/06 12:01:15, 2] 
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
  _samr_create_user: ACCESS DENIED (granted: 0x00000201;  required: 
0x00000010)
[2004/07/06 12:01:15, 2] smbd/server.c:exit_server(568)
  Closing connections

As you can see, my userid and password are accepted, but something to do 
with the domain SID for SHETLAND is causing access to be denied. 

I'm really not sure what is causing this problem.  I have configured 
Samba to act as a domain controller, but that was a few years ago with 
Windows NT - things have obviously changed since then :-)

Here's my smb configuration, as returned from testparam:

Load smb config files from /usr/local/samba/lib/smb.conf
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

# Global parameters
[global]
        workgroup = SHETLAND
        log level = 2
        log file = /var/log/samba/log.%m
        time server = Yes
        server signing = Yes
        add user script = /usr/sbin/useradd -d /dev/null -g 100 -s 
/bin/false -M %u
        logon script = logon.bat
        logon path = \\%L\profiles\%u\%m
        logon drive = H:
        logon home = \\%L\%u\.win_profile\%m
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes

[netlogon]
        path = /usr/local/samba/lib/netlogon
        guest ok = Yes
        browseable = No

[profiles]
        path = /usr/local/samba/lib/profiles
        read only = No
        create mask = 0600
        directory mask = 0700
        browseable = No

[homes]
        read only = No
        browseable = No

I've googled, and have not found any solutions, so I'm tossing out this 
query to the list - any suggestions are certainly welcome.

Cheers!

    -klm.

Ken Miller wrote:
>  However, when I try 
> and connect to the domain, I get an 'Access Denied' message after 
> entering my userid and password.
What client OS? If NT/2K/XPPro have you joined it to the domain successfully?

You need a user ID on the Samba box set up as a Domain Admin to use to join
these OS's to your domain.

I assume you are using a smbpasswd back end, you did add the user ID to that
database?

Some of the text within my ramblings to this list on net groupmap apply to the
topic of creating a domain admin account. You might read through the small
office example URL on the Samba web site I
posted in that thread as well. Sounds like what you are up to is what that
describes.

-- 
Michael Lueck
Lueck Data Systems

Remove the upper case letters NOSPAM to contact me directly.

For a successful samba3.x domain controller you need to make sure of a few
things.
your nt to unix group map
ip and hostname in host file
proper scripts in smb.conf
proper user map in smbusers (if necessary for your purpose)

here is an example of my smb.conf and of course sub "MY-DOMAIN" for
yours
----------------------------------------------------------------------------
---------------------
# Global parameters
[global]
	workgroup = MY-DOMAIN
	realm = MY-DOMAIN
	server string = Linux
	security = DOMAIN
	map to guest = Bad Password
	passwd program = /etc/samba/smbpasswd
	unix password sync = Yes
	passwd chat = *old password* %o\n *new password* %n\n *new password*
%n\n *changed*
	passwd chat debug = false
	max log size = 50
	time server = Yes
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	add user script = /usr/sbin/useradd %u
	delete user script = /usr/sbin/userdle %u
	add group script = /usr/sbin/groupadd %g
	delete group script = /usr/sbin/groupdel %g
	delete user from group script = /usr/sbin/deluser %u %g
	add machine script = /usr/sbin/adduser -n -g machines -c Machine -d
/dev/null -s /bin/false %u
	logon script = %G.bat
	logon path = 
	domain logons = Yes
	os level = 65
	lm announce = Yes
	preferred master = Yes
	domain master = Yes
	ldap ssl = no
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	admin users = your_admin_accounts
	printer admin = your_admin_accounts

[NETLOGON]
	comment = NETLOGON SHARE
	path = /home/samba/NETLOGON 
----------------------------------------------------------------------------
---------------------------
Markus Benkovszki

ALSO make sure your usr group mapping is bang on I've had some major issues
arrise with bad mappings.
Hope this helps.




-----Original Message-----
From: Michael Lueck [mailto:mlueck@lueckdatasystems.com]
Sent: Tuesday, July 06, 2004 9:58 PM
To: samba@lists.samba.org
Subject: [Samba] Re: ACCESS DENIED when trying to log into domain


Ken Miller wrote:
>  However, when I try 
> and connect to the domain, I get an 'Access Denied' message after 
> entering my userid and password.
What client OS? If NT/2K/XPPro have you joined it to the domain
successfully?

You need a user ID on the Samba box set up as a Domain Admin to use to join
these OS's to your domain.

I assume you are using a smbpasswd back end, you did add the user ID to that
database?

Some of the text within my ramblings to this list on net groupmap apply to
the topic of creating a domain admin account. You might read through the
small office example URL on the Samba web site I 
posted in that thread as well. Sounds like what you are up to is what that
describes.

-- 
Michael Lueck
Lueck Data Systems

Remove the upper case letters NOSPAM to contact me directly.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba