samba - Jul 2006 - rpc command function failed! (NT_STATUS_ACCESS_DENIED) trying to grant privileges - 3.0.23a

Greetings,

I am in the process of testing Samba 3.0.23a with our own passdb
plugin. As part of mytesting I am trying to join the domin so here are
the steps I take...


1 - get local sid
/usr/local/samba/bin/net getlocalsid
SID for domain JAZZY is: S-1-5-21-1016995387-3159270912-1426853295

2 - create group mappings
[paulg@jazzy ~]$ /usr/local/samba/bin/net groupmap list
Domain Users (S-1-5-21-1016995387-3159270912-1426853295-513) -> users
Domain Admins (S-1-5-21-1016995387-3159270912-1426853295-512) -> tech
Domain Guests (S-1-5-21-1016995387-3159270912-1426853295-514) -> nobody
[paulg@jazzy ~]$ 


3 - Assign  privileges to tech group so they can join machines to the
domain.

net -d 3 -S JAZZY rpc rights grant 'JAZZY\tech'
SeMachineAccountPrivilege

[paulg@jazzy sbin]$ /usr/local/samba/bin/net -d 3 -S JAZZY rpc rights grant
'JAZZY\tech' SeMachineAccountPrivilege


[2006/07/25 11:37:50, 3] param/loadparm.c:lp_load(4945)
  lp_load: refreshing parameters
[2006/07/25 11:37:50, 3] param/loadparm.c:init_globals(1410)
  Initialising global parameters
[2006/07/25 11:37:50, 3] param/params.c:pm_process(572)
  params.c:pm_process() - Processing configuration file
  "/usr/local/samba/lib/smb.conf"
[2006/07/25 11:37:50, 3] param/loadparm.c:do_section(3687)
  Processing section "[global]"
[2006/07/25 11:37:50, 1] param/loadparm.c:lp_do_parameter(3426)
  WARNING: The "printer admin" option is deprecated
[2006/07/25 11:37:50, 2] lib/interface.c:add_interface(81)
  added interface ip=130.xx.xx.xx bcast=130.xx.xx.xx
  nmask=255.255.255.0
[2006/07/25 11:37:50, 3] libsmb/namequery.c:resolve_lmhosts(939)
  resolve_lmhosts: Attempting lmhosts lookup for name JAZZY<0x20>
[2006/07/25 11:37:50, 3] libsmb/namequery.c:resolve_wins(836)
  resolve_wins: Attempting wins lookup for name JAZZY<0x20>
[2006/07/25 11:37:50, 3] libsmb/namequery.c:resolve_wins(875)
  resolve_wins: using WINS server 130.xx.xx.xx and tag '*'
[2006/07/25 11:37:50, 2] libsmb/namequery.c:name_query(577)
  Got a positive name query response from 130.xx.xx.xx ( 130.xx.xx.xx
  )
Password:
[2006/07/25 11:38:00, 3]
libsmb/cliconnect.c:cli_start_connection(1417)
  Connecting to host=JAZZY
[2006/07/25 11:38:00, 3] lib/util_sock.c:open_socket_out(874)
  Connecting to 130.xx.xx.xx at port 445
[2006/07/25 11:38:00, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(723)
  Doing spnego session setup (blob length=58)
[2006/07/25 11:38:00, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(748)
  got OID=1 3 6 1 4 1 311 2 2 10
[2006/07/25 11:38:00, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(757)
  got principal=NONE
[2006/07/25 11:38:00, 3]
libsmb/ntlmssp.c:ntlmssp_client_challenge(941)
  Got challenge flags:
[2006/07/25 11:38:00, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60890215
[2006/07/25 11:38:00, 3]
libsmb/ntlmssp.c:ntlmssp_client_challenge(963)
  NTLMSSP: Set final flags:
[2006/07/25 11:38:00, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60080215
[2006/07/25 11:38:00, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
  NTLMSSP Sign/Seal - Initialising with flags:
[2006/07/25 11:38:00, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60080215
[2006/07/25 11:38:00, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine JAZZY pipe \lsarpc fnum 0x7622 bind
  request returned ok.
[2006/07/25 11:38:00, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine JAZZY pipe \lsarpc fnum 0x7623 bind
  request returned ok.
[2006/07/25 11:38:00, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
  lsa_io_sec_qos: length c does not match size 8
[2006/07/25 11:38:00, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
  lsa_io_sec_qos: length c does not match size 8
Failed to grant privileges for JAZZY\tech (NT_STATUS_ACCESS_DENIED)
[2006/07/25 11:38:00, 1] utils/net_rpc.c:run_rpc_command(170)
  rpc command function failed! (NT_STATUS_ACCESS_DENIED)
[2006/07/25 11:38:00, 2] utils/net.c:main(988)
  return code = 1
-----

What could be causing this error? The only thing that catches my eyes
is the following....

[2006/07/25 11:38:00, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
  lsa_io_sec_qos: length c does not match size 8
[2006/07/25 11:38:00, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
  lsa_io_sec_qos: length c does not match size 8

Anyone have any pointers ?

Thanks
Paul

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Griffith wrote:
> Greetings,
> 
> I am in the process of testing Samba 3.0.23a with our own passdb
> plugin. 
...
> $ net -d 3 -S JAZZY rpc rights grant 'JAZZY\tech' 
>   SeMachineAccountPrivilege
...
> Failed to grant privileges for JAZZY\tech (NT_STATUS_ACCESS_DENIED)
>   rpc command function failed! (NT_STATUS_ACCESS_DENIED)
>   return code = 1
> -----
> 
> What could be causing this error? The only thing that 
> catches my eyes is the following....
...
>   lsa_io_sec_qos: length c does not match size 8
I think you need to look at the server logs and not the
client logs to debug this. I'm pretty sure this error message
is not the problem though.





cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFExlbnIR7qMdg1EfYRAkSMAJ9J4mTuaZ2UUJTVHoNloYX8ENEkggCg0Oa8
2chmrdstEM+3YhqQplJMINo=TrK+
-----END PGP SIGNATURE-----