I patched samba to always return ACCESS_GRANTED for testing.
So I came to this:
IASSAM.LOG
[556] 23:23:53:671: Inserting attribute msNPAllowDialin.
[556] 23:23:53:671: Successfully retrieved per-user attributes.
Dialin now "only" fails with "Dialin not allowed for user",
but I'm not able
to set it in UserMgr.
Is it difficult to map this attribute?
Daniel
-----Urspr?ngliche Nachricht-----
Von: Andrew Bartlett [mailto:abartlet@samba.org]
Gesendet: Samstag, 11. Oktober 2003 02:17
An: Beschorner Daniel
Cc: 'samba@lists.samba.org'
Betreff: Re: [Samba] W2K RAS Server in Samba 3.0.0 Domain
On Sat, 2003-10-11 at 02:37, Beschorner Daniel wrote:> We set up a DialIn W2K SP4 member server in our Samba 3.0.0 domain.
>
> When a client dials in the RAS server complains:
>
> Error 930: The authentication server did not respond to authentication
> requests in a timely fashion.
>
>
> I tracked down the RAS logfile IASSAM.LOG:
>
> [576] 18:30:34:921: NT-SAM Names handler received request with user
identity> root.
> [576] 18:30:34:921: Prepending default domain.
> [576] 18:30:34:921: SAM-Account-Name is "DOMAIN\root".
> [576] 18:30:34:921: NT-SAM Authentication handler received request for
> DOMAIN\root.
> [576] 18:30:34:921: Processing MS-CHAP v2 authentication.
> [576] 18:30:34:968: LogonUser succeeded.
> [576] 18:30:34:968: NT-SAM User Authorization handler received request for
> DOMAIN\root.
> [576] 18:30:34:968: Using downlevel dial-in parameters.
> [576] 18:30:34:968: DS not installed for domain DOMAIN.
> [576] 18:30:34:968: Connecting to SAM server on \\SERVER.
> [576] 18:30:35:093: Connecting to SAM server on \\SERVER.
> [576] 18:30:35:093: Per-user attribute retrieval failed: Access denied
>
>
> Here a corresponding "suspect" part of the level 10 smbd.log that
breaks
> it?!?
>
>
> [2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:dbg_rw_punival(806)
> 0028 buffer : D.O.M.A.I.N.
> [2003/10/10 18:30:37, 4]
> rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
> Found policy hnd[0] [000] 00 00 00 00 02 00 00 00 00 00 00 00 AD DE 86
3F> ........ ....??.?
> [010] 56 50 00 00 VP..
> [2003/10/10 18:30:37, 5]
> rpc_server/srv_samr_nt.c:access_check_samr_function(106)
> _samr_lookup_domain: access check ((granted: 0x00000020; required:
> 0x00000010)
> [2003/10/10 18:30:37, 2]
> rpc_server/srv_samr_nt.c:access_check_samr_function(115)
> _samr_lookup_domain: ACCESS DENIED (granted: 0x00000020; required:
> 0x00000010)
> [2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:prs_debug(81)
> 000000 samr_io_r_lookup_domain
> [2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:prs_uint32(634)
> 0000 ptr: 00000000
> [2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:prs_ntstatus(664)
> 0004 status: NT_STATUS_ACCESS_DENIED
This looks like a bug to me - can you file it in bugzilla.samba.org - I
was involved in adding the access controls here, and I know there are
issues - we didn't get all the access masks perfect.
However, even when access is permitted, I'm not sure we serve up all the
right attributes anyway...
Andrew Bartlett
--
Andrew Bartlett abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet@samba.org
Student Network Administrator, Hawker College abartlet@hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net