Ian Puleston
2009-Jul-17 21:04 UTC
[Samba] Using NetWkstaGetInfo / NetWkstaUserEnum with samba server
Hi, I'm trying to get a Linux machine set up so that it will respond to NetWkstaGetInfo and/or NetWkstaUserEnum NetAPI requests from a Windows machine. I have samba configured and working to authenticate in the Windows domain with smb, nmb and winbind daemons running, and can browse shares on that machine from a Window PC, authenticating as either the domain administrator or a domain user. So I'm now trying to run a program on a Windows server that sends the above NetAPI requests to Samba on the Linux machine, being logged in to that Windows server as the domain administrator. NetWkstaGetInfo has 3 levels (100 to 102) with 100 requiring only guest access. Level 100 works OK, but levels 101/102 return error 124 (invalid level). NetWkstaUserEnum returns error 1745 (RPC_S_PROCNUM_OUT_OF_RANGE). I have samba logging turned on with log level set to 3, and it logs successfully authenticating the domain administrator (sd80\administrator) and receiving the NetWksta... command in both cases (see below), so any idea why it may be returning these errors? On authenticating the user I do see "get_privileges: No privileges assigned to SID" logged - could this be the reason, the account does not have the privilege to run these commands on the Linux machine? If so is there a way to give the account that privilege? Here is the samba log of an attempt to run NetWkstaUserEnum: [2009/07/17 13:57:31, 3] auth/auth.c:check_ntlm_password(220) check_ntlm_password: Checking password for unmapped user [SD80]\[Administrator]@[IANSERVER] with the new password interface [2009/07/17 13:57:31, 3] auth/auth.c:check_ntlm_password(223) check_ntlm_password: mapped user is: [SD80]\[Administrator]@[IANSERVER] [2009/07/17 13:57:31, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2009/07/17 13:57:31, 3] smbd/uid.c:push_conn_ctx(407) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2009/07/17 13:57:31, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/07/17 13:57:31, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/07/17 13:57:31, 3] auth/auth.c:check_ntlm_password(269) check_ntlm_password: winbind authentication for user [Administrator] succeeded [2009/07/17 13:57:31, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2009/07/17 13:57:31, 3] smbd/uid.c:push_conn_ctx(407) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2009/07/17 13:57:31, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/07/17 13:57:31, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/07/17 13:57:31, 2] auth/auth.c:check_ntlm_password(308) check_ntlm_password: authentication for user [Administrator] -> [Administrator] -> [SD80+administrator] succeeded [2009/07/17 13:57:31, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2009/07/17 13:57:31, 3] smbd/uid.c:push_conn_ctx(407) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2009/07/17 13:57:31, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/07/17 13:57:31, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/07/17 13:57:31, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-4023909512-3739307249-2032274589-500] [2009/07/17 13:57:31, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-4023909512-3739307249-2032274589-513] [2009/07/17 13:57:31, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-2] [2009/07/17 13:57:31, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-11] [2009/07/17 13:57:31, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-4023909512-3739307249-2032274589-520] [2009/07/17 13:57:31, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-4023909512-3739307249-2032274589-519] [2009/07/17 13:57:31, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-4023909512-3739307249-2032274589-518] [2009/07/17 13:57:31, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-4023909512-3739307249-2032274589-512] [2009/07/17 13:57:31, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-32-545] [2009/07/17 13:57:31, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(337) NTLMSSP Sign/Seal - Initialising with flags: [2009/07/17 13:57:31, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0xa2088205 [2009/07/17 13:57:31, 3] smbd/password.c:register_existing_vuid(320) register_existing_vuid: User name: SD80+administrator Real name: [2009/07/17 13:57:31, 3] smbd/password.c:register_existing_vuid(332) register_existing_vuid: UNIX uid 601 is UNIX user SD80+administrator, and will be vuid 100 [2009/07/17 13:57:31, 3] smbd/password.c:register_existing_vuid(353) Adding homes service for user 'SD80+administrator' using home directory: '/home/SD80/administrator' [2009/07/17 13:57:31, 3] param/loadparm.c:lp_add_home(5856) adding home's share [administrator] for user 'SD80+administrator' at '/home/SD80/administrator' [2009/07/17 13:57:31, 3] smbd/process.c:process_smb(1550) Transaction 3 of length 98 (0 toread) [2009/07/17 13:57:31, 3] smbd/process.c:switch_message(1361) switch message SMBtconX (pid 4387) conn 0x0 [2009/07/17 13:57:31, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/07/17 13:57:31, 3] smbd/service.c:make_connection_snum(940) Connect path is '/tmp' for service [IPC$] [2009/07/17 13:57:31, 3] lib/util_seaccess.c:se_access_check(249) [2009/07/17 13:57:31, 3] lib/util_seaccess.c:se_access_check(252) se_access_check: user sid is S-1-5-21-4023909512-3739307249-2032274589-500 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-513 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-520 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-519 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-518 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-512 se_access_check: also S-1-5-32-545 se_access_check: also S-1-5-32-544 se_access_check: also S-1-22-1-601 se_access_check: also S-1-22-2-604 se_access_check: also S-1-22-2-607 se_access_check: also S-1-22-2-608 se_access_check: also S-1-22-2-609 se_access_check: also S-1-22-2-610 se_access_check: also S-1-22-2-603 se_access_check: also S-1-22-2-602 [2009/07/17 13:57:31, 3] smbd/vfs.c:vfs_init_default(96) Initialising default vfs hooks [2009/07/17 13:57:31, 3] smbd/vfs.c:vfs_init_custom(130) Initialising custom vfs hooks from [/[Default VFS]/] [2009/07/17 13:57:31, 3] lib/util_seaccess.c:se_access_check(249) [2009/07/17 13:57:31, 3] lib/util_seaccess.c:se_access_check(252) se_access_check: user sid is S-1-5-21-4023909512-3739307249-2032274589-500 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-513 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-520 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-519 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-518 se_access_check: also S-1-5-21-4023909512-3739307249-2032274589-512 se_access_check: also S-1-5-32-545 se_access_check: also S-1-5-32-544 se_access_check: also S-1-22-1-601 se_access_check: also S-1-22-2-604 se_access_check: also S-1-22-2-607 se_access_check: also S-1-22-2-608 se_access_check: also S-1-22-2-609 se_access_check: also S-1-22-2-610 se_access_check: also S-1-22-2-603 se_access_check: also S-1-22-2-602 [2009/07/17 13:57:31, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (601, 604) - sec_ctx_stack_ndx = 0 [2009/07/17 13:57:31, 3] smbd/service.c:make_connection_snum(1194) ianserver (::ffff:192.168.168.3) connect to service IPC$ initially as user SD80+administrator (uid=601, gid=604) (pid 4387) [2009/07/17 13:57:31, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/07/17 13:57:31, 3] smbd/reply.c:reply_tcon_and_X(766) tconX service=IPC$ [2009/07/17 13:57:31, 3] smbd/process.c:process_smb(1550) Transaction 4 of length 104 (0 toread) [2009/07/17 13:57:31, 3] smbd/process.c:switch_message(1361) switch message SMBntcreateX (pid 4387) conn 0x242f690 [2009/07/17 13:57:31, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (601, 604) - sec_ctx_stack_ndx = 0 [2009/07/17 13:57:31, 3] smbd/nttrans.c:nt_open_pipe(320) nt_open_pipe: Known pipe wkssvc opening. [2009/07/17 13:57:31, 3] smbd/process.c:process_smb(1550) Transaction 5 of length 184 (0 toread) [2009/07/17 13:57:31, 3] smbd/process.c:switch_message(1361) switch message SMBwriteX (pid 4387) conn 0x242f690 [2009/07/17 13:57:31, 3] rpc_server/srv_pipe.c:api_pipe_bind_req(1564) api_pipe_bind_req: \PIPE\wkssvc -> \PIPE\wkssvc [2009/07/17 13:57:31, 3] rpc_server/srv_pipe.c:check_bind_req(991) check_bind_req for \PIPE\wkssvc [2009/07/17 13:57:31, 3] smbd/pipes.c:reply_pipe_write_and_X(251) writeX-IPC pnum=7498 nwritten=116 [2009/07/17 13:57:31, 3] smbd/process.c:process_smb(1550) Transaction 6 of length 63 (0 toread) [2009/07/17 13:57:31, 3] smbd/process.c:switch_message(1361) switch message SMBreadX (pid 4387) conn 0x242f690 [2009/07/17 13:57:31, 3] smbd/pipes.c:reply_pipe_read_and_X(301) readX-IPC pnum=7498 min=1024 max=1024 nread=68 [2009/07/17 13:57:31, 3] smbd/process.c:process_smb(1550) Transaction 7 of length 196 (0 toread) [2009/07/17 13:57:31, 3] smbd/process.c:switch_message(1361) switch message SMBtrans (pid 4387) conn 0x242f690 [2009/07/17 13:57:31, 3] smbd/ipc.c:handle_trans(436) trans <\PIPE\> data=108 params=0 setup=2 [2009/07/17 13:57:31, 3] smbd/ipc.c:named_pipe(387) named pipe command on <> name [2009/07/17 13:57:31, 3] smbd/ipc.c:api_fd_reply(345) Got API command 0x26 on pipe "wkssvc" (pnum 7498) [2009/07/17 13:57:31, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(519) free_pipe_context: destroying talloc pool of size 118 [2009/07/17 13:57:31, 3] rpc_server/srv_pipe.c:api_rpcTNP(2308) api_rpcTNP: rpc command: WKSSVC_NETWKSTAENUMUSERS [2009/07/17 13:57:31, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(519) free_pipe_context: destroying talloc pool of size 0 [2009/07/17 13:57:31, 3] smbd/process.c:process_smb(1550) Transaction 8 of length 45 (0 toread) [2009/07/17 13:57:31, 3] smbd/process.c:switch_message(1361) switch message SMBclose (pid 4387) conn 0x242f690
Volker Lendecke
2009-Jul-18 03:56 UTC
[Samba] Using NetWkstaGetInfo / NetWkstaUserEnum with samba server
On Fri, Jul 17, 2009 at 02:04:19PM -0700, Ian Puleston wrote:> I'm trying to get a Linux machine set up so that it will respond to > NetWkstaGetInfo and/or NetWkstaUserEnum NetAPI requests from a Windows > machine. I have samba configured and working to authenticate in the > Windows domain with smb, nmb and winbind daemons running, and can browse > shares on that machine from a Window PC, authenticating as either the > domain administrator or a domain user. > > So I'm now trying to run a program on a Windows server that sends the > above NetAPI requests to Samba on the Linux machine, being logged in to > that Windows server as the domain administrator. NetWkstaGetInfo has 3 > levels (100 to 102) with 100 requiring only guest access. Level 100 > works OK, but levels 101/102 return error 124 (invalid level). > NetWkstaUserEnum returns error 1745 (RPC_S_PROCNUM_OUT_OF_RANGE). > > I have samba logging turned on with log level set to 3, and it logs > successfully authenticating the domain administrator > (sd80\administrator) and receiving the NetWksta... command in both cases > (see below), so any idea why it may be returning these errors? On > authenticating the user I do see "get_privileges: No privileges assigned > to SID" logged - could this be the reason, the account does not have the > privilege to run these commands on the Linux machine? If so is there a > way to give the account that privilege? > > Here is the samba log of an attempt to run NetWkstaUserEnum:Probably we "just" don't support some calls or some infolevels that we haven't come across yet. Can you please file a bug at bugzilla.samba.org and upload network traces? Maybe also a snippet of your Win32 code that you're trying to get to run. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20090718/07498b22/attachment.pgp>
Possibly Parallel Threads
- Missing sids for domain administrator?
- Builtin group mapping problem with latest from git
- root is there in tdbsam but it says user name not there while Joining a Win Xp to a domain
- Can't add machines to domain after Debian-Update
- write list for share is ignored