I am getting the following problem when I try to add new machines to the
LDAP server.
<snip>
[2004/06/07 13:49:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
init_sam_from_ldap: Entry found for user: administrator
[2004/06/07 13:49:13, 2] passdb/pdb_ldap.c:init_group_from_ldap(1697)
init_group_from_ldap: Entry found for group: 512
[2004/06/07 13:49:13, 2] passdb/pdb_ldap.c:init_group_from_ldap(1697)
init_group_from_ldap: Entry found for group: 513
[2004/06/07 13:49:13, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [administrator] ->
[administrator] -> [administrator] succeeded
[2004/06/07 13:49:14, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461)
Returning domain sid for domain MYDOM ->
S-1-5-21-2872XXXXXX-XXXXXXXXX-XXXXXXXXXX
[2004/06/07 13:49:14, 2]
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
_samr_open_domain: ACCESS DENIED (requested: 0x00000211)
[2004/06/07 13:49:14, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461)
Returning domain sid for domain MYDOM ->
S-1-5-21-2872XXXXXX-XXXXXXXXX-XXXXXXXXXX
[2004/06/07 13:49:14, 2]
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
_samr_create_user: ACCESS DENIED (granted: 0x00000201; required:
0x00000010)
[2004/06/07 13:49:19, 2] smbd/sesssetup.c:setup_new_vc_session(591)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2004/06/07 13:49:19, 2] smbd/sesssetup.c:setup_new_vc_session(591)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2004/06/07 13:49:19, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
init_sam_from_ldap: Entry found for user: administrator
[2004/06/07 13:49:20, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [administrator] ->
[administrator] -> [administrator] succeeded
</snip>
I am very confused on how to proceed. net groupmap reveals that Domain
Admins is mapped to the domadm Ldap Group. [gid=512]. Administrators
primary group is 512, and that seems to be fine. We tried several
people, all w/ the same results.
Why am I getting ACCESS DENIED on the _samr_open_domain_ ? I don't
understand that.
Also, the create user fails. This seems to ignore my add machine
script entirely. Did I miss anything in samba setup?
I have searched and searched the archives with the only possible
explanation found being that my ldap admin had insufficient rights, or
my user had insufficient rights. Please help.
AFAIK this worked prior to the last updates. I am using Fedora Core 1,
with Samba-3.0.2-6.3 (Actually, now I am not sure about the 6.3). There
is an update available, and I am planning on trying that. However I am
very beleaguered by this problem.
smb.conf:
[global]
debug level = 2
workgroup = MYDOM
server string = SVR1
netbios name = SVR1
add machine script = /usr/sbin/ldapaddmachine.save %m
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba/%m.log
max log size = 50
security = user
encrypt passwords = yes
ldap suffix = o=Myou,c=US
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
;; Work-around re: number failures, and numerous online notes.
;; Which is this supposed to be?
ldap machine suffix = ou=Computers
;;ldap machine suffix = ou=Users
ldap delete dn = no
ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
ldap admin dn = "cn=Manager,o=Myou,c=US"
ldap ssl = off
ldap passwd sync = yes
passdb backend = ldapsam:ldap://localhost
idmap backend = ldap:ldap://localhost
;; OS-Level incremented from 33 on 2004-06-4 by IMR.
os level = 65
local master = yes
domain master = yes
domain logons = yes
logon script = logon.bat
logon path = \\%L\Profiles\%U
preserve case = yes
short preserve case = yes
default case = lower
case sensitive = no
dns proxy = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins server = 192.168.10.240
<shares removed>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url :
http://lists.samba.org/archive/samba/attachments/20040607/8f3f20aa/signature.bin
