thr3ads.net - samba - [Samba] LDAP - _samr_open_domain: ACCESS DENIED [Jan 2004]

If this information is useful, please help other people find it:
Share via:

Erik Holst Trans

2004-Jan-27 20:12 UTC

[Samba] LDAP - _samr_open_domain: ACCESS DENIED

Hi,

I am trying to get samba running with LDAP password backend, but having 
some trouble with the rights.

Dist. : SuSE 9.0
LDAP: OpenLDAP 2.1.22
Samba: 3.0.1

It work's great when i login in for a Win98 box, but when i try to 
import a WinXP box i get the following in my log file.

//--snip--
[2004/01/27 20:36:25, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [administrator] -> 
[administrator] -> [Administrator] succeeded
[2004/01/27 20:36:25, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461)
  Returning domain sid for domain IT-TRANS -> 
S-1-5-21-3079347702-147214601-1898991890
[2004/01/27 20:36:25, 2] 
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
  _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
[2004/01/27 20:36:25, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461)
  Returning domain sid for domain IT-TRANS -> 
S-1-5-21-3079347702-147214601-1898991890
[2004/01/27 20:36:25, 2] 
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
  _samr_create_user: ACCESS DENIED (granted: 0x00000201;  required: 
0x00000010)
[2004/01/27 20:36:25, 2] smbd/server.c:exit_server(558)
  Closing connections
//--snip--

I suppose my problem is in the groupmapping's. ?
My current mappings are like below:

Domain Admins (S-1-5-21-3079347702-147214601-1898991890-512) -> Domain 
Admins
Domain Users (S-1-5-21-3079347702-147214601-1898991890-513) -> Domain Users
Domain Guests (S-1-5-21-3079347702-147214601-1898991890-514) -> Domain 
Guests
Administrators (S-1-5-21-3079347702-147214601-1898991890-544) -> 
Administrators
users (S-1-5-21-3079347702-147214601-1898991890-545) -> Users
Guests (S-1-5-21-3079347702-147214601-1898991890-546) -> Guests
Power Users (S-1-5-21-3079347702-147214601-1898991890-547) -> Power Users
Account Operators (S-1-5-21-3079347702-147214601-1898991890-548) -> 
Account Operators
Server Operators (S-1-5-21-3079347702-147214601-1898991890-549) -> 
Server Operators
Print Operators (S-1-5-21-3079347702-147214601-1898991890-550) -> Print 
Operators
Backup Operators (S-1-5-21-3079347702-147214601-1898991890-551) -> 
Backup Operators
Replicator (S-1-5-21-3079347702-147214601-1898991890-552) -> Replicator
Domain Computers (S-1-5-21-3079347702-147214601-1898991890-553) -> 
Domain Computers

This is the default after running "smbldap-populate.pl" from the
ldap-tools.
 From the documentation, the "Domain Admins" have to be mapped to 
unixgroup=root or another group with gidnumber=0 (Right ?)
Now, executing "net groupmap modify ntgroup="Domain Admins" 
unixgroup=root type=domain" is succesfull, but the mappings don't
change
"Domain Admins" is stille pointing at "Domain Admins" ?

I also tried to create a posix group in LDAP with gidnumber=0, and made 
a mapping from the "Domain Admins" but the mapping still don't
change.


Could some one kindly point me in the right direction.

Thanks.


Best regards
Erik

Reasonably Related Threads

Search for more apparently analagous threads

samba - Jan 2004 - LDAP - _samr_open_domain: ACCESS DENIED

[Samba] LDAP - _samr_open_domain: ACCESS DENIED

Reasonably Related Threads

Wisdom of the Ancients