paul.simons@esca.com
2003-Aug-21 20:22 UTC
[Samba] Samba 3.0, ldapsam: joining the domain results in "Access Denied"
athena:/home/paul# smbd -V Version 3.0.0beta2-1 for Debian paul@athena:~$ testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[netlogon]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions # Global parameters [global] workgroup = SIMONET server string = %h server (Samba %v) obey pam restrictions = Yes passdb backend = ldapsam:ldap://ldap.thesimonet.org, tdbsam, guest pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . unix password sync = Yes log level = 3 passdb:100 auth:10 winbind:2 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 logon script = logon.cmd logon path = \\%N\profiles\%u logon drive = H: logon home = \\%N\%u\winhome domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes ldap suffix = dc=thesimonet,dc=org ldap machine suffix = ou=Systems,dc=thesimonet,dc=org ldap user suffix = ou=People ldap group suffix = dc=thesimonet,dc=org ldap idmap suffix = dc=thesimonet,dc=org ldap admin dn = "cn=sadmin,dc=thesimonet,dc=org" ldap ssl = no ldap passwd sync = Yes ldap trust ids = Yes panic action = /usr/share/samba/panic-action %d idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash invalid users = root root preexec = /home/samba/netlogon/ntlogon --user=%U --os=%m root postexec = rm /home/samba/netlogon/%U.bat [homes] comment = Home Directories read only = No create mask = 0700 directory mask = 0700 browseable = No [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = Yes share modes = No (A quick note: "ldap machine suffix = ou=Systems,dc=thesimonet,dc=org" should just be "ldap machine suffix = ou=Systems", but "ldap suffix" is not getting added when the machine is registered via "smbpasswd -a -m bacuss". This results in a search for "uid=bacuss,ou=Systems" which the ldap server tries to refer.) (Another note: I am testing this with one server (athena) and one client (bacuss). So I created the machine account by hand. So there are no add/delete * scripts.) # bacuss$, Systems, thesimonet.org dn: uid=bacuss$,ou=Systems,dc=thesimonet,dc=org uid: bacuss$ sambaSID: S-1-5-21-3722257784-14983886-1453651345-21010 sambaPrimaryGroupSID: S-1-5-21-3722257784-14983886-1453651345-513 sambaPwdCanChange: 1061225321 sambaPwdMustChange: 1063039721 sambaLMPassword: 437E466A847F7E44AAD3B435B51404EE sambaNTPassword: D8DD573C9AB2DC4235BEE4A34F0B40C7 sambaPwdLastSet: 1061225321 sambaAcctFlags: [W ] objectClass: sambaSamAccount objectClass: account The whole reason for this exercise is to establish a Single Sign On environment. I have the Linux side working well using PAM/NSS_LDAP. It seems that the relevant part of the log is as follows: api_rpcTNP: samr op 0x7 - api_rpcTNP: rpc command: SAMR_OPEN_DOMAIN [2003/08/20 22:29:32, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) Found policy hnd[0] [000] 00 00 00 00 04 00 00 00 00 00 00 00 BC 58 44 3F ........ .....XD? [010] F9 21 00 00 .!.. [2003/08/20 22:29:32, 3] lib/util_seaccess.c:se_access_check(267) [2003/08/20 22:29:32, 3] lib/util_seaccess.c:se_access_check(268) se_access_check: user sid is S-1-5-21-3722257784-14983886-1453651345-500 se_access_check: also S-1-5-21-3722257784-14983886-1453651345-3001 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 se_access_check: also S-1-5-21-3722257784-14983886-1453651345-512 se_access_check: also S-1-5-21-3722257784-14983886-1453651345-513 [2003/08/20 22:29:32, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x00000211) [2003/08/20 22:29:32, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(544) free_pipe_context: destroying talloc pool of size 732 [2003/08/20 22:29:32, 3] smbd/process.c:process_smb(882) Transaction 31 of length 140 [2003/08/20 22:29:32, 3] smbd/process.c:switch_message(676) switch message SMBtrans (pid 8697) [2003/08/20 22:29:32, 4] smbd/uid.c:change_to_user(122) change_to_user: Skipping user change - already user [2003/08/20 22:29:32, 3] smbd/ipc.c:reply_trans(512) trans <\PIPE\> data=52 params=0 setup=2 [2003/08/20 22:29:32, 3] smbd/ipc.c:named_pipe(326) named pipe command on <> name [2003/08/20 22:29:32, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1149) search for pipe pnum=7148 [2003/08/20 22:29:32, 3] smbd/ipc.c:api_fd_reply(288) Got API command 0x26 on pipe "samr" (pnum 7148)free_pipe_context: destroying talloc pool of size 0 [2003/08/20 22:29:32, 3] rpc_server/srv_pipe.c:api_pipe_request(1411) Doing \PIPE\samr [2003/08/20 22:29:32, 4] rpc_server/srv_pipe.c:api_rpcTNP(1457) api_rpcTNP: samr op 0x6 - api_rpcTNP: rpc command: SAMR_ENUM_DOMAINS [2003/08/20 22:29:32, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) Found policy hnd[0] [000] 00 00 00 00 04 00 00 00 00 00 00 00 BC 58 44 3F ........ .....XD? [010] F9 21 00 00 .!.. [2003/08/20 22:29:32, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(544) free_pipe_context: destroying talloc pool of size 1080 [2003/08/20 22:29:32, 3] smbd/process.c:process_smb(882) Transaction 32 of length 166 [2003/08/20 22:29:32, 3] smbd/process.c:switch_message(676) switch message SMBtrans (pid 8697) [2003/08/20 22:29:32, 4] smbd/uid.c:change_to_user(122) change_to_user: Skipping user change - already user [2003/08/20 22:29:32, 3] smbd/ipc.c:reply_trans(512) trans <\PIPE\> data=78 params=0 setup=2 [2003/08/20 22:29:32, 3] smbd/ipc.c:named_pipe(326) named pipe command on <> name [2003/08/20 22:29:32, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1149) search for pipe pnum=7148 [2003/08/20 22:29:32, 3] smbd/ipc.c:api_fd_reply(288) Got API command 0x26 on pipe "samr" (pnum 7148)free_pipe_context: destroying talloc pool of size 0 [2003/08/20 22:29:32, 3] rpc_server/srv_pipe.c:api_pipe_request(1411) Doing \PIPE\samr [2003/08/20 22:29:32, 4] rpc_server/srv_pipe.c:api_rpcTNP(1457) api_rpcTNP: samr op 0x5 - api_rpcTNP: rpc command: SAMR_LOOKUP_DOMAIN [2003/08/20 22:29:32, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) Found policy hnd[0] [000] 00 00 00 00 04 00 00 00 00 00 00 00 BC 58 44 3F ........ .....XD? [010] F9 21 00 00 .!.. [2003/08/20 22:29:32, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2513) Returning domain sid for domain SIMONET -> S-1-5-21-3722257784-14983886-1453651345 [2003/08/20 22:29:32, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(544) free_pipe_context: destroying talloc pool of size 14 [2003/08/20 22:29:32, 3] smbd/process.c:process_smb(882) Transaction 33 of length 164 [2003/08/20 22:29:32, 3] smbd/process.c:switch_message(676) switch message SMBtrans (pid 8697) [2003/08/20 22:29:32, 4] smbd/uid.c:change_to_user(122) change_to_user: Skipping user change - already user [2003/08/20 22:29:32, 3] smbd/ipc.c:reply_trans(512) trans <\PIPE\> data=76 params=0 setup=2 [2003/08/20 22:29:32, 3] smbd/ipc.c:named_pipe(326) named pipe command on <> name [2003/08/20 22:29:32, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1149) search for pipe pnum=7148 [2003/08/20 22:29:32, 3] smbd/ipc.c:api_fd_reply(288) Got API command 0x26 on pipe "samr" (pnum 7148)free_pipe_context: destroying talloc pool of size 0 [2003/08/20 22:29:32, 3] rpc_server/srv_pipe.c:api_pipe_request(1411) Doing \PIPE\samr [2003/08/20 22:29:32, 4] rpc_server/srv_pipe.c:api_rpcTNP(1457) api_rpcTNP: samr op 0x7 - api_rpcTNP: rpc command: SAMR_OPEN_DOMAIN [2003/08/20 22:29:32, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) Found policy hnd[0] [000] 00 00 00 00 04 00 00 00 00 00 00 00 BC 58 44 3F ........ .....XD? [010] F9 21 00 00 .!.. [2003/08/20 22:29:32, 3] lib/util_seaccess.c:se_access_check(267) [2003/08/20 22:29:32, 3] lib/util_seaccess.c:se_access_check(268) se_access_check: user sid is S-1-5-21-3722257784-14983886-1453651345-500 se_access_check: also S-1-5-21-3722257784-14983886-1453651345-3001 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 se_access_check: also S-1-5-21-3722257784-14983886-1453651345-512 se_access_check: also S-1-5-21-3722257784-14983886-1453651345-513 [2003/08/20 22:29:32, 4] rpc_server/srv_lsa_hnd.c:create_policy_hnd(142) Opened policy hnd[3] [000] 00 00 00 00 05 00 00 00 00 00 00 00 BC 58 44 3F ........ .....XD? [010] F9 21 00 00 .!.. [2003/08/20 22:29:32, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(544) free_pipe_context: destroying talloc pool of size 732 [2003/08/20 22:29:32, 3] smbd/process.c:process_smb(882) Transaction 34 of length 176 [2003/08/20 22:29:32, 3] smbd/process.c:switch_message(676) switch message SMBtrans (pid 8697) [2003/08/20 22:29:32, 4] smbd/uid.c:change_to_user(122) change_to_user: Skipping user change - already user [2003/08/20 22:29:32, 3] smbd/ipc.c:reply_trans(512) trans <\PIPE\> data=88 params=0 setup=2 [2003/08/20 22:29:32, 3] smbd/ipc.c:named_pipe(326) named pipe command on <> name [2003/08/20 22:29:32, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1149) search for pipe pnum=7148 [2003/08/20 22:29:32, 3] smbd/ipc.c:api_fd_reply(288) Got API command 0x26 on pipe "samr" (pnum 7148)free_pipe_context: destroying talloc pool of size 0 [2003/08/20 22:29:32, 3] rpc_server/srv_pipe.c:api_pipe_request(1411) Doing \PIPE\samr [2003/08/20 22:29:32, 4] rpc_server/srv_pipe.c:api_rpcTNP(1457) api_rpcTNP: samr op 0x32 - api_rpcTNP: rpc command: SAMR_CREATE_USER [2003/08/20 22:29:32, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 BC 58 44 3F ........ .....XD? [010] F9 21 00 00 .!.. [2003/08/20 22:29:32, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x00000201; required: 0x00000010) I have avoided using the root account because the Debian distro discourages putting system accounts into LDAP because Debian tweaks them on occasion (Which brings up the whole issue of account maintenance when not using files). I created an account: # sadmin, People, thesimonet.org dn: uid=sadmin,ou=People,dc=thesimonet,dc=org mail: sadmin@thesimonet.org objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: sambaSamAccount shadowLastChange: 12281 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/false uidNumber: 106 homeDirectory: /home/sadmin sambaPrimaryGroupSID: S-1-5-21-3722257784-14983886-1453651345-132069 displayName: sadmin sambaPwdCanChange: 1061095010 sambaPwdMustChange: 1062909410 sambaLMPassword: CD348F99AFB68E0F276E9808ECE6D2AD sambaNTPassword: 5612B876FA7C7E54FF7AF621843F55CE sambaPwdLastSet: 1061095010 sambaAcctFlags: [U ] userPassword:: e1NNRDV9aXdoc05CU3Q3YzJMNmN1K0ZpWW12Y0gyTnkwPQ=gidNumber: 0 uid: sadmin cn: sadmin sn: sadmin sambaSID: S-1-5-21-3722257784-14983886-1453651345-1212 I also have used an account called paul (which exists on both the server and the client) (sadmin only exists on the server). I have changed the RID to 500 on each account during testing (currently it is with paul. The log above was generated will using the paul account with a RID of 500.) Could it be that the above error was generated because there is no add machine script? And I'm back to that whole issue of LDAP account maintenance. After having read much, I am really confused about the account that can be used to administer the domain. Does it have to be "root"? Does it have to exist on both machines? If it doesn't, do you have to map an administrator account on the client to "root" on the server? I think this is all pre 3.0. With 3.0, does a RID of 500 mean that account is the domain administrator? Thank you for a truly phenomenal example of Open Source software. -- Paul Simons Bellevue, WA ALSTOM's T&D Energy Automation & Information Business CONFIDENTIALITY: This e-mail and any attachments are confidential and may be privileged. If you are not a named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose or store or copy the information in any medium.