Hi I am trying to use usrmgr.exe in order to manage users and groups on my samba server PDC (passdb backend = tdbsam ) . I have the following strange behavior of usrmgr.exe : * when I launch usrmgr.exe from a user account that is part of the Domain Admins group or that explicitly has the SeAddUsersPrivilege privilege, I can see the list of users and groups , and create a new user, BUT when I double click on a user or group, I get the error popup : "Access Denied , the user properties cannot be edited or viewed at this time" . The log level 2 trace is : [2009/02/16 17:18:40, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(246) _samr__LookupRids: ACCESS DENIED (granted: 0x000d067a; required: 0x00000100) * The only account that can fully use usrmgr.exe is the samba root account , everything works well under that account. I strongly suspect it is a bug on privilege checking , can someone confirm that ? Is there a workarround to make it work as expected ? Thanks in advance henri
net rpc rights list Domain\ Admins net rpc rights list Administrators should give the info you need On Mon, Feb 16, 2009 at 5:53 AM, HB <ciradhb.forward@laposte.net> wrote:> Hi > > I am trying to use usrmgr.exe in order to manage users and groups on my samba server PDC (passdb backend = tdbsam ) . > I have the following strange behavior of usrmgr.exe : > > * when I launch usrmgr.exe from a user account that is part of the Domain Admins group or that explicitly has the > SeAddUsersPrivilege privilege, I can see the list of users and groups , and create a new user, BUT when I double click on a user or > group, I get the error popup : "Access Denied , the user properties cannot be edited or viewed at this time" . The log level 2 trace > is : > [2009/02/16 17:18:40, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(246) > _samr__LookupRids: ACCESS DENIED (granted: 0x000d067a; required: 0x00000100) > * The only account that can fully use usrmgr.exe is the samba root account , everything works well under that account. > > I strongly suspect it is a bug on privilege checking , can someone confirm that ? Is there a workarround to make it work as expected > ? > > Thanks in advance > > henri > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Mon, Feb 16, 2009 at 8:53 AM, HB <ciradhb.forward@laposte.net> wrote:> [2009/02/16 17:18:40, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(246) > _samr__LookupRids: ACCESS DENIED (granted: 0x000d067a; required: 0x00000100) > * The only account that can fully use usrmgr.exe is the samba root account , everything works well under that account.Jeremy has fixed this in current code. It's just a matter of getting the latest packages for whatever your distro is. -- Jim McDonough Samba Team jmcd at samba dot org jmcd at themcdonoughs dot org