samba - Oct 2003 - W2K RAS Server in Samba 3.0.0 Domain

We set up a DialIn W2K SP4 member server in our Samba 3.0.0 domain.

When a client dials in the RAS server complains:

Error 930: The authentication server did not respond to authentication
requests in a timely fashion. 


I tracked down the RAS logfile IASSAM.LOG:

[576] 18:30:34:921: NT-SAM Names handler received request with user identity
root.
[576] 18:30:34:921: Prepending default domain.
[576] 18:30:34:921: SAM-Account-Name is "DOMAIN\root".
[576] 18:30:34:921: NT-SAM Authentication handler received request for
DOMAIN\root.
[576] 18:30:34:921: Processing MS-CHAP v2 authentication.
[576] 18:30:34:968: LogonUser succeeded.
[576] 18:30:34:968: NT-SAM User Authorization handler received request for
DOMAIN\root.
[576] 18:30:34:968: Using downlevel dial-in parameters.
[576] 18:30:34:968: DS not installed for domain DOMAIN.
[576] 18:30:34:968: Connecting to SAM server on \\SERVER.
[576] 18:30:35:093: Connecting to SAM server on \\SERVER.
[576] 18:30:35:093: Per-user attribute retrieval failed: Access denied


Here a corresponding "suspect" part of the level 10 smbd.log that
breaks
it?!?


[2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:dbg_rw_punival(806)
          0028 buffer     : D.O.M.A.I.N.
[2003/10/10 18:30:37, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
  Found policy hnd[0] [000] 00 00 00 00 02 00 00 00  00 00 00 00 AD DE 86 3F
........ ....??.?
  [010] 56 50 00 00                                       VP..
[2003/10/10 18:30:37, 5]
rpc_server/srv_samr_nt.c:access_check_samr_function(106)
  _samr_lookup_domain: access check ((granted: 0x00000020;  required:
0x00000010)
[2003/10/10 18:30:37, 2]
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
  _samr_lookup_domain: ACCESS DENIED (granted: 0x00000020;  required:
0x00000010)
[2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:prs_debug(81)
  000000 samr_io_r_lookup_domain
[2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:prs_uint32(634)
      0000 ptr: 00000000
[2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:prs_ntstatus(664)
      0004 status: NT_STATUS_ACCESS_DENIED

Or is it a configuration problem?
Anyone got this configuration to work???

Thanks
Daniel

On Sat, 2003-10-11 at 02:37, Beschorner Daniel wrote:
> We set up a DialIn W2K SP4 member server in our Samba 3.0.0 domain.
> 
> When a client dials in the RAS server complains:
> 
> Error 930: The authentication server did not respond to authentication
> requests in a timely fashion. 
> 
> 
> I tracked down the RAS logfile IASSAM.LOG:
> 
> [576] 18:30:34:921: NT-SAM Names handler received request with user
identity
> root.
> [576] 18:30:34:921: Prepending default domain.
> [576] 18:30:34:921: SAM-Account-Name is "DOMAIN\root".
> [576] 18:30:34:921: NT-SAM Authentication handler received request for
> DOMAIN\root.
> [576] 18:30:34:921: Processing MS-CHAP v2 authentication.
> [576] 18:30:34:968: LogonUser succeeded.
> [576] 18:30:34:968: NT-SAM User Authorization handler received request for
> DOMAIN\root.
> [576] 18:30:34:968: Using downlevel dial-in parameters.
> [576] 18:30:34:968: DS not installed for domain DOMAIN.
> [576] 18:30:34:968: Connecting to SAM server on \\SERVER.
> [576] 18:30:35:093: Connecting to SAM server on \\SERVER.
> [576] 18:30:35:093: Per-user attribute retrieval failed: Access denied
> 
> 
> Here a corresponding "suspect" part of the level 10 smbd.log that
breaks
> it?!?
> 
> 
> [2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:dbg_rw_punival(806)
>           0028 buffer     : D.O.M.A.I.N.
> [2003/10/10 18:30:37, 4]
> rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
>   Found policy hnd[0] [000] 00 00 00 00 02 00 00 00  00 00 00 00 AD DE 86
3F
> ........ ....??.?
>   [010] 56 50 00 00                                       VP..
> [2003/10/10 18:30:37, 5]
> rpc_server/srv_samr_nt.c:access_check_samr_function(106)
>   _samr_lookup_domain: access check ((granted: 0x00000020;  required:
> 0x00000010)
> [2003/10/10 18:30:37, 2]
> rpc_server/srv_samr_nt.c:access_check_samr_function(115)
>   _samr_lookup_domain: ACCESS DENIED (granted: 0x00000020;  required:
> 0x00000010)
> [2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:prs_debug(81)
>   000000 samr_io_r_lookup_domain
> [2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:prs_uint32(634)
>       0000 ptr: 00000000
> [2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:prs_ntstatus(664)
>       0004 status: NT_STATUS_ACCESS_DENIED
This looks like a bug to me - can you file it in bugzilla.samba.org - I
was involved in adding the access controls here, and I know there are
issues - we didn't get all the access masks perfect.

However, even when access is permitted, I'm not sure we serve up all the
right attributes anyway...

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20031011/8c4fd697/attachment.bin