Duncan Brannen
2008-Aug-25 13:57 UTC
[Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED
Hi All,
I'm trying to add a user to a group using
/usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password
The user is added to the group as far as I can tell but the command
returns NT_STATUS_ACCESS_DENIED
This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both
configured to lookup users and groups in LDAP.
/usr/local/samba/bin/net rpc group members room11 -Uroot%password
CROOMTEST\dunk
Trying to remove the user from the group returns
NT_STATUS_MEMBER_NOT_IN_GROUP and the user
is not removed from the group in LDAP (running smbldap-groupmod manually
removes the user from LDAP)
In smb.conf, I have
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u"
"%g"
With log level set to 10 I see the following for the add that may or may
not be relevant.
Should the access check granted and required values be equal?
[2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297)
api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER
[2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323)
api_rpc_cmds[22].fn == 200be4
samr_AddGroupMember: struct samr_AddGroupMember
in: struct samr_AddGroupMember
group_handle : *
group_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
05000000-0000-0000-b248-b49e90510000
rid : 0x00000bb8 (3000)
flags : 0x00000005 (5)
[2008/08/25 12:59:48, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168)
Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48
B4 9E ........ .....H..
[010] 90 51 00 00 .Q..
[2008/08/25 12:59:48, 5]
rpc_server/srv_samr_nt.c:access_check_samr_function(227)
_samr_AddGroupMember: access check ((granted: 00000f001f; required:
0000000004)
[2008/08/25 12:59:48, 10]
rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651)
sid is S-1-5-21-440367617-1876916578-3462541782-3003
[2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132)
get_domain_group_from_sid
...
[2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352)
smb_add_user_group: Running the command
`/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"'
gave 0
[2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122)
sys_getgrouplist: user [dunk]
[2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
...
[2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170)
LEGACY: gid 512 -> sid S-1-5-21-440367617-1876916578-3462541782-512
samr_AddGroupMember: struct samr_AddGroupMember
out: struct samr_AddGroupMember
result : NT_STATUS_ACCESS_DENIED
For delmem I again get the same access check granted value
_samr_DeleteGroupMember: access check ((granted: 00000f001f;
required: 0000000008)
then
Get_Pwnam_internals did find user [dunk]!
[2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213)
LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 -> uid 1000
samr_DeleteGroupMember: struct samr_DeleteGroupMember
out: struct samr_DeleteGroupMember
result : NT_STATUS_MEMBER_NOT_IN_GROUP
Any thoughts or pointers as to where I should be looking?
Thanks,
Duncan
--
The University of St Andrews is a charity registered in Scotland : No SC013532
John H Terpstra
2008-Aug-25 14:19 UTC
[Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED
On Monday 25 August 2008 08:56:23 Duncan Brannen wrote:> Hi All, > I'm trying to add a user to a group using > > /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password > > The user is added to the group as far as I can tell but the command > returns NT_STATUS_ACCESS_DENIED > > This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both > configured to lookup users and groups in LDAP. > > /usr/local/samba/bin/net rpc group members room11 -Uroot%password > CROOMTEST\dunk > > Trying to remove the user from the group returns > NT_STATUS_MEMBER_NOT_IN_GROUP and the user > is not removed from the group in LDAP (running smbldap-groupmod manually > removes the user from LDAP) > > In smb.conf, I have > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" > "%g" > > With log level set to 10 I see the following for the add that may or may > not be relevant. > > Should the access check granted and required values be equal? > > [2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297) > api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER > [2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323) > api_rpc_cmds[22].fn == 200be4 > samr_AddGroupMember: struct samr_AddGroupMember > in: struct samr_AddGroupMember > group_handle : * > group_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : > 05000000-0000-0000-b248-b49e90510000 > rid : 0x00000bb8 (3000) > flags : 0x00000005 (5) > [2008/08/25 12:59:48, 4] > rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168) > Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48 > B4 9E ........ .....H.. > [010] 90 51 00 00 .Q.. > [2008/08/25 12:59:48, 5] > rpc_server/srv_samr_nt.c:access_check_samr_function(227) > _samr_AddGroupMember: access check ((granted: 00000f001f; required: > 0000000004) > [2008/08/25 12:59:48, 10] > rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651) > sid is S-1-5-21-440367617-1876916578-3462541782-3003 > [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132) > get_domain_group_from_sid > > ... > > [2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352) > smb_add_user_group: Running the command > `/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"' gave 0 > [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122) > sys_getgrouplist: user [dunk] > [2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > ... > [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170) > LEGACY: gid 512 -> sid S-1-5-21-440367617-1876916578-3462541782-512 > samr_AddGroupMember: struct samr_AddGroupMember > out: struct samr_AddGroupMember > result : NT_STATUS_ACCESS_DENIED > > For delmem I again get the same access check granted value > _samr_DeleteGroupMember: access check ((granted: 00000f001f; > required: 0000000008) > then > Get_Pwnam_internals did find user [dunk]! > [2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213) > LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 -> uid 1000 > samr_DeleteGroupMember: struct samr_DeleteGroupMember > out: struct samr_DeleteGroupMember > result : NT_STATUS_MEMBER_NOT_IN_GROUP > > > Any thoughts or pointers as to where I should be looking?Have you tried to execute this script manually? Example: smbldap-useradd -G new_group user_name If that works, check that you gave Samba permission to update the LDAP directory. Did you execute the following?: smbpasswd -w LDAP_Secret_Password also, check that the user you are using to do this, and/or the group that user belongs to, has the rights and privileges needed to do this: net rpc rights list accounts -Uroot%password - John T. -- John H Terpstra "Don't do as I do; Show me better!" - Anonymous.