Hi, running here samba-ldap-pdc (debian sarge, samba 3.0.14a-3sarge, cups). Domain users can delete their own print jobs. But they should also be able to delete print jobs of other domain users. But this does not work, because of access problems. net groupmap list Domain Users (S-1-5-21-2984023303-172644929-1026171850-1222) -> archi Domain Admins (S-1-5-21-2984023303-172644929-1026171850-512) -> admin Over winxp (network environment -> server -> printers -> access) I arranged that for the group 'domain users' print job management is allowed. But deleting occurs access denied. Here is the log file: [2006/12/11 13:26:43, 3] lib/util_seaccess.c:se_access_check(252) se_access_check: user sid is S-1-5-21-2984023303-172644929-10261718 50-3012 se_access_check: also S-1-5-21-2984023303-172644929-1026171850-1222 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 se_access_check: also S-1-5-21-2984023303-172644929-1026171850-513 [2006/12/11 13:26:43, 5] lib/util_seaccess.c:se_access_check(315) se_access_check: access (f000c) denied. [2006/12/11 13:26:43, 4] printing/nt_printing.c:print_access_check(51 75) access check was FAILURE [2006/12/11 13:26:43, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2006/12/11 13:26:43, 3] rpc_server/srv_spoolss_nt.c:_spoolss_open_pr inter_ex(1770) access DENIED for printer open What does the message "Unable to get default yp domain" mean? Any hints? Regards... Thomas
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thomas Besser wrote:> Unable to get default yp domain....> What does the message "Unable to get default yp domain" mean?Ignore it unles you really mean to use NIS netgroups. You can probably work around the error message by using the "+group" syntax in smb.conf instead of the "@group" syntax. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFfXkyIR7qMdg1EfYRAv0cAKDigMVKawwkWXpN3k2HHKrtmwnHDACg1WrB ST8yfCEMJkztcQbWZXw2YDA=iHR6 -----END PGP SIGNATURE-----
Thomas Besser
2006-Dec-12 10:21 UTC
[Samba] failure access check -> mask (was: Unable to get default yp domain)
Thomas Besser wrote:> running here samba-ldap-pdc (debian sarge, samba 3.0.14a-3sarge, cups). > Domain users can delete their own print jobs. But they should also be able > to delete print jobs of other domain users. But this does not work, > because of access problems. > > net groupmap list > Domain Users (S-1-5-21-2984023303-172644929-1026171850-1222) -> archi > Domain Admins (S-1-5-21-2984023303-172644929-1026171850-512) -> admin > > Over winxp (network environment -> server -> printers -> access) I > arranged that for the group 'domain users' print job management is > allowed. > > But deleting occurs access denied. Here is the log file: > > [2006/12/11 13:26:43, 3] lib/util_seaccess.c:se_access_check(252) > se_access_check: user sid is S-1-5-21-2984023303-172644929-10261718 > 50-3012 > se_access_check: also S-1-5-21-2984023303-172644929-1026171850-1222 > se_access_check: also S-1-1-0 > se_access_check: also S-1-5-2 > se_access_check: also S-1-5-11 > se_access_check: also S-1-5-21-2984023303-172644929-1026171850-513 > [2006/12/11 13:26:43, 5] lib/util_seaccess.c:se_access_check(315) > se_access_check: access (f000c) denied. > [2006/12/11 13:26:43, 4] printing/nt_printing.c:print_access_check(51 > 75) > access check was FAILUREHere a more detailed log (loglevel 10) of the same problem: [2006/12/11 15:40:06, 10] lib/util_seaccess.c:se_access_check(234) se_access_check: requested access 0x000f000c, for NT token with 5 entries and first sid S-1-5-21-2984023303-172644929-102617185 0-3012. [2006/12/11 15:40:06, 3] lib/util_seaccess.c:se_access_check(251) [2006/12/11 15:40:06, 3] lib/util_seaccess.c:se_access_check(252) se_access_check: user sid is S-1-5-21-2984023303-172644929-1026171850-3012 se_access_check: also S-1-5-21-2984023303-172644929-1026171850-1222 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 se_access_check: ACE 0: type 0, flags = 0x00, SID S-1-5-21-2984023303-172644929-1026171850-500 mask = f000c, current desired = f000c se_access_check: ACE 1: type 0, flags = 0x09, SID S-1-5-21-2984023303-172644929-1026171850-500 mask = f0030, current desired = f000c se_access_check: ACE 2: type 0, flags = 0x00, SID S-1-5-21-2984023303-172644929-1026171850-512 mask = f000c, current desired = f000c se_access_check: ACE 3: type 0, flags = 0x09, SID S-1-5-21-2984023303-172644929-1026171850-512 mask = f0030, current desired = f000c se_access_check: ACE 4: type 0, flags = 0x00, SID S-1-5-21-2984023303-172644929-1026171850-1222 mask = 20008, current desired = f000c se_access_check: ACE 5: type 0, flags = 0x0a, SID S-1-5-21-2984023303-172644929-1026171850-1222 mask = 20000, current desired = d0004 se_access_check: ACE 6: type 0, flags = 0x09, SID S-1-5-21-2984023303-172644929-1026171850-1222 mask = f0030, current desired = d0004 se_access_check: ACE 7: type 0, flags = 0x00, SID = S-1-1-0 mask = 20008, current desired = d0004 se_access_check: ACE 8: type 0, flags = 0x0a, SID = S-1-1-0 mask = 20000, current desired = d0004 se_access_check: ACE 9: type 0, flags = 0x09, SID = S-1-1-0 mask = f0030, current desired = d0004 [2006/12/11 15:40:06, 5] lib/util_seaccess.c:se_access_check(315) se_access_check: access (f000c) denied. [2006/12/11 15:40:06, 4] printing/nt_printing.c:print_access_check(5175) access check was FAILURE Does anyone know the meaning of this masks? Especially according of the SID ending with 1222, because thats the group in which one user should have the possibility to delete the print job of another. Regards. Thomas