Jérôme Fenal
2003-Nov-21 11:43 UTC
[Samba] Samba3 and Domain Admin group mapping and use pbms.
Bon app?tit ? tous, I have a small problem regarding delegation of domain administrator rights to a 'normal' user (eg. not root or uid!=0). I maybe fooled myself believing it is possible in Samba3, reading Samba-HOWTO-Collection.html#WKURIDS, that a user could be also a domain admin. I've created group mappings (with good RIDs) for main groups (eg. SID-512, SID-513, SID-514, even tested SID-544, SID-548) and associated my user `jerome' to SID-512, the domadmin group. Then, with that user connected on freshly inserted XP workstation, I've tried to launch MS usermgr.exe to manage users. It used to work when my user jerome was in the [global] `admin users=' clause, but no more now. I have the following messages in the log. Since I don't know what is ACE, I can't go further, and asking (once again) for help : [2003/11/21 12:16:06, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(106) _samr_open_group: access check ((granted: 0x00020381; required: 0x00000200) [2003/11/21 12:16:06, 10] lib/util_seaccess.c:se_access_check(234) se_access_check: requested access 0x0000001f, for NT token with 7 entries and first sid S-1-5-21-1150874807-1180408084-xxxxxxxxx-3000. [2003/11/21 12:16:06, 3] lib/util_seaccess.c:se_access_check(251) [2003/11/21 12:16:06, 3] lib/util_seaccess.c:se_access_check(252) se_access_check: user sid is S-1-5-21-1150874807-1180408084-429402335-3000 se_access_check: also S-1-5-21-1150874807-1180408084-xxxxxxxxx-2027 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 se_access_check: also S-1-5-21-1150874807-1180408084-xxxxxxxxx-513 se_access_check: also S-1-5-21-1150874807-1180408084-xxxxxxxxx-512 se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask = 20011, current desired = 1f se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask = f001f, current desired = e se_access_check: ACE 2: type 0, flags = 0x00, SID = S-1-5-32-548 mask = f001f, current desired = e [2003/11/21 12:16:06, 5] lib/util_seaccess.c:se_access_check(315) se_access_check: access (1f) denied. [2003/11/21 12:16:06, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_group: ACCESS DENIED (requested: 0x0000001f) My questions : - Am I really fooling me in believing it is possible ? - Am I stuck to using 'admin user=too,many,users,here,mapped,to,root' ? - What is the sambaGroupType in LDAP (I noticed that 2 is domain group, 5 is buitin) ? What are other values ? - Are builtins cited at Samba-HOWTO-Collection.html#WKURIDS really groups ? - Are they useable for a user as it seems se_access_check looks for it ? - Should I rebuild first my config with TDBSAM (as advised in Chapter 12, #id2895268) then migrate it to LDAP ? My setup (same as last time) : - Samba 3.0.1pre3 (RPM home recompiled from samba.org SRPM); - OpenLDAP 2.0.27 (stock RH9) + Solaris RootDSE patch, all on RH9; - Two LDAP servers (one master, one slave, replication of all the base); - Samba setup as PDC + BDC, using Samba3 LDAP schema. Best, best regards, J?r?me -- J?r?me Fenal - Consultant Unix/SAN/Logiciel Libre Groupe Expert & Managed Services - LogicaCMG France http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>
Maybe Matching Threads
- S3 domain member shares won't authorize secondary groups, only for W98
- Small glitch in howto
- RE : S3+CUPS+PDF pseudo printer : print command not functional on service
- Re. : Re: Re: Multiple DB / fragmented information
- Wrestling with Samba, Solaris 9, and groups, and a big thanks