Hello everyone, I've been setting up Samba as a PDC with good success so far. I've run into one problem though, and that's removing users from groups using the 'net' utility. I seem to be able to add users to groups just fine using something similar to the following: net rpc group addmem "Domain Admins" bob If I then type: net rpc group members "Domain Admins" it lists the user I just added bob. But if I then try to remove the user with the following command: net rpc group delmem "Domain Admins" bob I get NT_STATUS_ACCESS_DENIED. Debug level 5 output is pasted below. Any help would be greatly appreciated. Thank you. ------------------------------------------------------------------------------- root@nightwolf:~# net rpc group delmem "Domain Admins" -d 4 tjp [2006/03/17 19:13:47, 3] param/loadparm.c:lp_load(4202) lp_load: refreshing parameters [2006/03/17 19:13:47, 3] param/loadparm.c:init_globals(1385) Initialising global parameters [2006/03/17 19:13:47, 3] param/params.c:pm_process(574) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2006/03/17 19:13:47, 3] param/loadparm.c:do_section(3657) Processing section "[global]" doing parameter workgroup = SAVAGEPHP doing parameter netbios name = nightwolf [2006/03/17 19:13:47, 4] param/loadparm.c:handle_netbios_name(2997) handle_netbios_name: set global_myname to: NIGHTWOLF doing parameter passdb backend = tdbsam doing parameter enable privileges = Yes doing parameter pam password change = Yes doing parameter passwd program = /usr/bin/passwd %u doing parameter passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n *Password*changed* doing parameter username map = /etc/samba/smbusers doing parameter log level = 1 doing parameter syslog = 0 doing parameter log file = /var/log/samba/%m doing parameter max log size = 50 doing parameter smb ports = 139 445 doing parameter name resolve order = wins bcast hosts doing parameter printcap name = CUPS doing parameter show add printer wizard = No doing parameter add user script = /usr/sbin/useradd -m '%u' doing parameter delete user script = /usr/sbin/userdel -r '%u' doing parameter add group script = /usr/sbin/groupadd '%g' doing parameter delete group script = /usr/sbin/groupdel '%g' doing parameter add user to group script = /usr/sbin/usermod -G '%g' '%u' doing parameter add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u' doing parameter shutdown script = /var/lib/samba/scripts/shutdown.sh doing parameter abort shutdown script = /sbin/shutdown -c doing parameter logon script = scripts\logon.bat doing parameter logon path = \\%L\profiles\%U doing parameter logon drive = H: doing parameter logon home = \\%L\%U doing parameter domain logons = Yes doing parameter preferred master = Yes doing parameter domain master = Yes doing parameter wins support = Yes doing parameter utmp = Yes doing parameter map acl inherit = Yes doing parameter veto files = /*.eml/*.nws/*.{*}/ doing parameter veto oplock files = /*.doc/*.xls/*.mdb/ [2006/03/17 19:13:47, 4] param/loadparm.c:lp_load(4233) pm_process() returned Yes [2006/03/17 19:13:47, 2] lib/interface.c:add_interface(81) added interface ip=192.168.1.3 bcast=192.168.1.255 nmask=255.255.255.0 Password: [2006/03/17 19:13:50, 3] libsmb/cliconnect.c:cli_start_connection(1389) Connecting to host=127.0.0.1 [2006/03/17 19:13:50, 3] lib/util_sock.c:open_socket_out(870) Connecting to 127.0.0.1 at port 445 [2006/03/17 19:13:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(710) Doing spnego session setup (blob length=16) [2006/03/17 19:13:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(714) server didn't supply a full spnego negprot [2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(917) Got challenge flags: [2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0x60890235 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_CHAL_TARGET_INFO NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(939) NTLMSSP: Set final flags: [2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0x60080215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2006/03/17 19:13:50, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(332) NTLMSSP Sign/Seal - Initialising with flags: [2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0x60080215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2006/03/17 19:13:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine 127.0.0.1 pipe \lsarpc fnum 0x74d9 bind request returned ok. [2006/03/17 19:13:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine 127.0.0.1 pipe \samr fnum 0x74da bind request returned ok. [2006/03/17 19:13:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine 127.0.0.1 pipe \lsarpc fnum 0x74db bind request returned ok. Could not del tjp from Domain Admins: NT_STATUS_ACCESS_DENIED [2006/03/17 19:13:50, 1] utils/net_rpc.c:run_rpc_command(169) rpc command function failed! (NT_STATUS_ACCESS_DENIED) [2006/03/17 19:13:50, 2] utils/net.c:main(878) return code = 1 root@nightwolf:~#
I apologize, in the midst of all that debug info I provided I didn't give any info about my system. Running Slackware 10.1 on x86 Samba 3.0.21b I think that's all that's needed. Thanks. Bob Hope wrote:> Hello everyone, > > I've been setting up Samba as a PDC with good success so far. I've > run into one problem though, and that's removing users from groups using > the 'net' utility. I seem to be able to add users to groups just fine > using something similar to the following: > > net rpc group addmem "Domain Admins" bob > > If I then type: > > net rpc group members "Domain Admins" > > it lists the user I just added bob. But if I then try to remove the user > with the following command: > > net rpc group delmem "Domain Admins" bob > > I get NT_STATUS_ACCESS_DENIED. Debug level 5 output is pasted below. Any > help would be greatly appreciated. > > Thank you. > > ------------------------------------------------------------------------------- > root@nightwolf:~# net rpc group delmem "Domain Admins" -d 4 tjp > [2006/03/17 19:13:47, 3] param/loadparm.c:lp_load(4202) > lp_load: refreshing parameters > [2006/03/17 19:13:47, 3] param/loadparm.c:init_globals(1385) > Initialising global parameters > [2006/03/17 19:13:47, 3] param/params.c:pm_process(574) > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > [2006/03/17 19:13:47, 3] param/loadparm.c:do_section(3657) > Processing section "[global]" > doing parameter workgroup = SAVAGEPHP > doing parameter netbios name = nightwolf > [2006/03/17 19:13:47, 4] param/loadparm.c:handle_netbios_name(2997) > handle_netbios_name: set global_myname to: NIGHTWOLF > doing parameter passdb backend = tdbsam > doing parameter enable privileges = Yes > doing parameter pam password change = Yes > doing parameter passwd program = /usr/bin/passwd %u > doing parameter passwd chat = *New*Password* %n\n > *Re-enter*new*password*%n\n *Password*changed* > doing parameter username map = /etc/samba/smbusers > doing parameter log level = 1 > doing parameter syslog = 0 > doing parameter log file = /var/log/samba/%m > doing parameter max log size = 50 > doing parameter smb ports = 139 445 > doing parameter name resolve order = wins bcast hosts > doing parameter printcap name = CUPS > doing parameter show add printer wizard = No > doing parameter add user script = /usr/sbin/useradd -m '%u' > doing parameter delete user script = /usr/sbin/userdel -r '%u' > doing parameter add group script = /usr/sbin/groupadd '%g' > doing parameter delete group script = /usr/sbin/groupdel '%g' > doing parameter add user to group script = /usr/sbin/usermod -G '%g' '%u' > doing parameter add machine script = /usr/sbin/useradd -s /bin/false > -d /tmp '%u' > doing parameter shutdown script = /var/lib/samba/scripts/shutdown.sh > doing parameter abort shutdown script = /sbin/shutdown -c > doing parameter logon script = scripts\logon.bat > doing parameter logon path = \\%L\profiles\%U > doing parameter logon drive = H: > doing parameter logon home = \\%L\%U > doing parameter domain logons = Yes > doing parameter preferred master = Yes > doing parameter domain master = Yes > doing parameter wins support = Yes > doing parameter utmp = Yes > doing parameter map acl inherit = Yes > doing parameter veto files = /*.eml/*.nws/*.{*}/ > doing parameter veto oplock files = /*.doc/*.xls/*.mdb/ > [2006/03/17 19:13:47, 4] param/loadparm.c:lp_load(4233) > pm_process() returned Yes > [2006/03/17 19:13:47, 2] lib/interface.c:add_interface(81) > added interface ip=192.168.1.3 bcast=192.168.1.255 nmask=255.255.255.0 > Password: > [2006/03/17 19:13:50, 3] libsmb/cliconnect.c:cli_start_connection(1389) > Connecting to host=127.0.0.1 > [2006/03/17 19:13:50, 3] lib/util_sock.c:open_socket_out(870) > Connecting to 127.0.0.1 at port 445 > [2006/03/17 19:13:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(710) > Doing spnego session setup (blob length=16) > [2006/03/17 19:13:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(714) > server didn't supply a full spnego negprot > [2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(917) > Got challenge flags: > [2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) > Got NTLMSSP neg_flags=0x60890235 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_SEAL > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_CHAL_TARGET_INFO > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > [2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(939) > NTLMSSP: Set final flags: > [2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) > Got NTLMSSP neg_flags=0x60080215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > [2006/03/17 19:13:50, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(332) > NTLMSSP Sign/Seal - Initialising with flags: > [2006/03/17 19:13:50, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) > Got NTLMSSP neg_flags=0x60080215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > [2006/03/17 19:13:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) > rpc_pipe_bind: Remote machine 127.0.0.1 pipe \lsarpc fnum 0x74d9 bind > request returned ok. > [2006/03/17 19:13:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) > rpc_pipe_bind: Remote machine 127.0.0.1 pipe \samr fnum 0x74da bind > request returned ok. > [2006/03/17 19:13:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) > rpc_pipe_bind: Remote machine 127.0.0.1 pipe \lsarpc fnum 0x74db bind > request returned ok. > Could not del tjp from Domain Admins: NT_STATUS_ACCESS_DENIED > [2006/03/17 19:13:50, 1] utils/net_rpc.c:run_rpc_command(169) > rpc command function failed! (NT_STATUS_ACCESS_DENIED) > [2006/03/17 19:13:50, 2] utils/net.c:main(878) > return code = 1 > root@nightwolf:~# > >
On Sat, Mar 18, 2006 at 08:43:37AM -0500, Bob Hope wrote:> I get NT_STATUS_ACCESS_DENIED. Debug level 5 output is pasted below. Any > help would be greatly appreciated.From the debug output you seem to have set the 'add user to group script', but the 'delete user from group script' seems to be missing. And /usr/sbin/usermod -G '%g' '%u' seems not to be the best choice. I'd rather use /usr/sbin/groupmod -A '%u' '%g' and /usr/sbin/groupmod -R '%u' '%g' Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20060318/bb29555a/attachment.bin