Hello everyone,
I've been setting up Samba as a PDC with good success so far. I've
run into one problem though, and that's removing users from groups using
the 'net' utility. I seem to be able to add users to groups just fine
using something similar to the following:
net rpc group addmem "Domain Admins" bob
If I then type:
net rpc group members "Domain Admins"
it lists the user I just added bob. But if I then try to remove the user
with the following command:
net rpc group delmem "Domain Admins" bob
I get NT_STATUS_ACCESS_DENIED. Debug level 5 output is pasted below. Any
help would be greatly appreciated.
Thank you.
-------------------------------------------------------------------------------
root@nightwolf:~# net rpc group delmem "Domain Admins" -d 4 tjp
[2006/03/17 19:13:47, 3] param/loadparm.c:lp_load(4202)
lp_load: refreshing parameters
[2006/03/17 19:13:47, 3] param/loadparm.c:init_globals(1385)
Initialising global parameters
[2006/03/17 19:13:47, 3] param/params.c:pm_process(574)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2006/03/17 19:13:47, 3] param/loadparm.c:do_section(3657)
Processing section "[global]"
doing parameter workgroup = SAVAGEPHP
doing parameter netbios name = nightwolf
[2006/03/17 19:13:47, 4] param/loadparm.c:handle_netbios_name(2997)
handle_netbios_name: set global_myname to: NIGHTWOLF
doing parameter passdb backend = tdbsam
doing parameter enable privileges = Yes
doing parameter pam password change = Yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *New*Password* %n\n
*Re-enter*new*password*%n\n *Password*changed*
doing parameter username map = /etc/samba/smbusers
doing parameter log level = 1
doing parameter syslog = 0
doing parameter log file = /var/log/samba/%m
doing parameter max log size = 50
doing parameter smb ports = 139 445
doing parameter name resolve order = wins bcast hosts
doing parameter printcap name = CUPS
doing parameter show add printer wizard = No
doing parameter add user script = /usr/sbin/useradd -m '%u'
doing parameter delete user script = /usr/sbin/userdel -r '%u'
doing parameter add group script = /usr/sbin/groupadd '%g'
doing parameter delete group script = /usr/sbin/groupdel '%g'
doing parameter add user to group script = /usr/sbin/usermod -G '%g'
'%u'
doing parameter add machine script = /usr/sbin/useradd -s /bin/false
-d /tmp '%u'
doing parameter shutdown script = /var/lib/samba/scripts/shutdown.sh
doing parameter abort shutdown script = /sbin/shutdown -c
doing parameter logon script = scripts\logon.bat
doing parameter logon path = \\%L\profiles\%U
doing parameter logon drive = H:
doing parameter logon home = \\%L\%U
doing parameter domain logons = Yes
doing parameter preferred master = Yes
doing parameter domain master = Yes
doing parameter wins support = Yes
doing parameter utmp = Yes
doing parameter map acl inherit = Yes
doing parameter veto files = /*.eml/*.nws/*.{*}/
doing parameter veto oplock files = /*.doc/*.xls/*.mdb/
[2006/03/17 19:13:47, 4] param/loadparm.c:lp_load(4233)
pm_process() returned Yes
[2006/03/17 19:13:47, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.1.3 bcast=192.168.1.255 nmask=255.255.255.0
Password:
[2006/03/17 19:13:50, 3] libsmb/cliconnect.c:cli_start_connection(1389)
Connecting to host=127.0.0.1
[2006/03/17 19:13:50, 3] lib/util_sock.c:open_socket_out(870)
Connecting to 127.0.0.1 at port 445
[2006/03/17 19:13:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(710)
Doing spnego session setup (blob length=16)
[2006/03/17 19:13:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(714)
server didn't supply a full spnego negprot
[2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(917)
Got challenge flags:
[2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x60890235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_CHAL_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(939)
NTLMSSP: Set final flags:
[2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x60080215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2006/03/17 19:13:50, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(332)
NTLMSSP Sign/Seal - Initialising with flags:
[2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x60080215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2006/03/17 19:13:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine 127.0.0.1 pipe \lsarpc fnum 0x74d9 bind
request returned ok.
[2006/03/17 19:13:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine 127.0.0.1 pipe \samr fnum 0x74da bind
request returned ok.
[2006/03/17 19:13:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine 127.0.0.1 pipe \lsarpc fnum 0x74db bind
request returned ok.
Could not del tjp from Domain Admins: NT_STATUS_ACCESS_DENIED
[2006/03/17 19:13:50, 1] utils/net_rpc.c:run_rpc_command(169)
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
[2006/03/17 19:13:50, 2] utils/net.c:main(878)
return code = 1
root@nightwolf:~#
I apologize, in the midst of all that debug info I provided I didn't give any info about my system. Running Slackware 10.1 on x86 Samba 3.0.21b I think that's all that's needed. Thanks. Bob Hope wrote:> Hello everyone, > > I've been setting up Samba as a PDC with good success so far. I've > run into one problem though, and that's removing users from groups using > the 'net' utility. I seem to be able to add users to groups just fine > using something similar to the following: > > net rpc group addmem "Domain Admins" bob > > If I then type: > > net rpc group members "Domain Admins" > > it lists the user I just added bob. But if I then try to remove the user > with the following command: > > net rpc group delmem "Domain Admins" bob > > I get NT_STATUS_ACCESS_DENIED. Debug level 5 output is pasted below. Any > help would be greatly appreciated. > > Thank you. > > ------------------------------------------------------------------------------- > root@nightwolf:~# net rpc group delmem "Domain Admins" -d 4 tjp > [2006/03/17 19:13:47, 3] param/loadparm.c:lp_load(4202) > lp_load: refreshing parameters > [2006/03/17 19:13:47, 3] param/loadparm.c:init_globals(1385) > Initialising global parameters > [2006/03/17 19:13:47, 3] param/params.c:pm_process(574) > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > [2006/03/17 19:13:47, 3] param/loadparm.c:do_section(3657) > Processing section "[global]" > doing parameter workgroup = SAVAGEPHP > doing parameter netbios name = nightwolf > [2006/03/17 19:13:47, 4] param/loadparm.c:handle_netbios_name(2997) > handle_netbios_name: set global_myname to: NIGHTWOLF > doing parameter passdb backend = tdbsam > doing parameter enable privileges = Yes > doing parameter pam password change = Yes > doing parameter passwd program = /usr/bin/passwd %u > doing parameter passwd chat = *New*Password* %n\n > *Re-enter*new*password*%n\n *Password*changed* > doing parameter username map = /etc/samba/smbusers > doing parameter log level = 1 > doing parameter syslog = 0 > doing parameter log file = /var/log/samba/%m > doing parameter max log size = 50 > doing parameter smb ports = 139 445 > doing parameter name resolve order = wins bcast hosts > doing parameter printcap name = CUPS > doing parameter show add printer wizard = No > doing parameter add user script = /usr/sbin/useradd -m '%u' > doing parameter delete user script = /usr/sbin/userdel -r '%u' > doing parameter add group script = /usr/sbin/groupadd '%g' > doing parameter delete group script = /usr/sbin/groupdel '%g' > doing parameter add user to group script = /usr/sbin/usermod -G '%g' '%u' > doing parameter add machine script = /usr/sbin/useradd -s /bin/false > -d /tmp '%u' > doing parameter shutdown script = /var/lib/samba/scripts/shutdown.sh > doing parameter abort shutdown script = /sbin/shutdown -c > doing parameter logon script = scripts\logon.bat > doing parameter logon path = \\%L\profiles\%U > doing parameter logon drive = H: > doing parameter logon home = \\%L\%U > doing parameter domain logons = Yes > doing parameter preferred master = Yes > doing parameter domain master = Yes > doing parameter wins support = Yes > doing parameter utmp = Yes > doing parameter map acl inherit = Yes > doing parameter veto files = /*.eml/*.nws/*.{*}/ > doing parameter veto oplock files = /*.doc/*.xls/*.mdb/ > [2006/03/17 19:13:47, 4] param/loadparm.c:lp_load(4233) > pm_process() returned Yes > [2006/03/17 19:13:47, 2] lib/interface.c:add_interface(81) > added interface ip=192.168.1.3 bcast=192.168.1.255 nmask=255.255.255.0 > Password: > [2006/03/17 19:13:50, 3] libsmb/cliconnect.c:cli_start_connection(1389) > Connecting to host=127.0.0.1 > [2006/03/17 19:13:50, 3] lib/util_sock.c:open_socket_out(870) > Connecting to 127.0.0.1 at port 445 > [2006/03/17 19:13:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(710) > Doing spnego session setup (blob length=16) > [2006/03/17 19:13:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(714) > server didn't supply a full spnego negprot > [2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(917) > Got challenge flags: > [2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) > Got NTLMSSP neg_flags=0x60890235 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_SEAL > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_CHAL_TARGET_INFO > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > [2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(939) > NTLMSSP: Set final flags: > [2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) > Got NTLMSSP neg_flags=0x60080215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > [2006/03/17 19:13:50, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(332) > NTLMSSP Sign/Seal - Initialising with flags: > [2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) > Got NTLMSSP neg_flags=0x60080215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > [2006/03/17 19:13:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) > rpc_pipe_bind: Remote machine 127.0.0.1 pipe \lsarpc fnum 0x74d9 bind > request returned ok. > [2006/03/17 19:13:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) > rpc_pipe_bind: Remote machine 127.0.0.1 pipe \samr fnum 0x74da bind > request returned ok. > [2006/03/17 19:13:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) > rpc_pipe_bind: Remote machine 127.0.0.1 pipe \lsarpc fnum 0x74db bind > request returned ok. > Could not del tjp from Domain Admins: NT_STATUS_ACCESS_DENIED > [2006/03/17 19:13:50, 1] utils/net_rpc.c:run_rpc_command(169) > rpc command function failed! (NT_STATUS_ACCESS_DENIED) > [2006/03/17 19:13:50, 2] utils/net.c:main(878) > return code = 1 > root@nightwolf:~# > >
On Sat, Mar 18, 2006 at 08:43:37AM -0500, Bob Hope wrote:> I get NT_STATUS_ACCESS_DENIED. Debug level 5 output is pasted below. Any > help would be greatly appreciated.From the debug output you seem to have set the 'add user to group script', but the 'delete user from group script' seems to be missing. And /usr/sbin/usermod -G '%g' '%u' seems not to be the best choice. I'd rather use /usr/sbin/groupmod -A '%u' '%g' and /usr/sbin/groupmod -R '%u' '%g' Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20060318/bb29555a/attachment.bin