I patched samba to always return ACCESS_GRANTED for testing. So I came to this:
IASSAM.LOG [556] 23:23:53:671: Inserting attribute msNPAllowDialin. [556] 23:23:53:671: Successfully retrieved per-user attributes. Dialin now "only" fails with "Dialin not allowed for user", but I'm not able to set it in UserMgr. Is it difficult to map this attribute? Daniel -----Urspr�ngliche Nachricht----- Von: Andrew Bartlett [mailto:[EMAIL PROTECTED] Gesendet: Samstag, 11. Oktober 2003 02:17 An: Beschorner Daniel Cc: '[EMAIL PROTECTED]' Betreff: Re: [Samba] W2K RAS Server in Samba 3.0.0 Domain On Sat, 2003-10-11 at 02:37, Beschorner Daniel wrote: > We set up a DialIn W2K SP4 member server in our Samba 3.0.0 domain. > > When a client dials in the RAS server complains: > > Error 930: The authentication server did not respond to authentication > requests in a timely fashion. > > > I tracked down the RAS logfile IASSAM.LOG: > > [576] 18:30:34:921: NT-SAM Names handler received request with user identity > root. > [576] 18:30:34:921: Prepending default domain. > [576] 18:30:34:921: SAM-Account-Name is "DOMAIN\root". > [576] 18:30:34:921: NT-SAM Authentication handler received request for > DOMAIN\root. > [576] 18:30:34:921: Processing MS-CHAP v2 authentication. > [576] 18:30:34:968: LogonUser succeeded. > [576] 18:30:34:968: NT-SAM User Authorization handler received request for > DOMAIN\root. > [576] 18:30:34:968: Using downlevel dial-in parameters. > [576] 18:30:34:968: DS not installed for domain DOMAIN. > [576] 18:30:34:968: Connecting to SAM server on \\SERVER. > [576] 18:30:35:093: Connecting to SAM server on \\SERVER. > [576] 18:30:35:093: Per-user attribute retrieval failed: Access denied > > > Here a corresponding "suspect" part of the level 10 smbd.log that breaks > it?!? > > > [2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:dbg_rw_punival(806) > 0028 buffer : D.O.M.A.I.N. > [2003/10/10 18:30:37, 4] > rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) > Found policy hnd[0] [000] 00 00 00 00 02 00 00 00 00 00 00 00 AD DE 86 3F > ........ ....��.? > [010] 56 50 00 00 VP.. > [2003/10/10 18:30:37, 5] > rpc_server/srv_samr_nt.c:access_check_samr_function(106) > _samr_lookup_domain: access check ((granted: 0x00000020; required: > 0x00000010) > [2003/10/10 18:30:37, 2] > rpc_server/srv_samr_nt.c:access_check_samr_function(115) > _samr_lookup_domain: ACCESS DENIED (granted: 0x00000020; required: > 0x00000010) > [2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:prs_debug(81) > 000000 samr_io_r_lookup_domain > [2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:prs_uint32(634) > 0000 ptr: 00000000 > [2003/10/10 18:30:37, 5] rpc_parse/parse_prs.c:prs_ntstatus(664) > 0004 status: NT_STATUS_ACCESS_DENIED This looks like a bug to me - can you file it in bugzilla.samba.org - I was involved in adding the access controls here, and I know there are issues - we didn't get all the access masks perfect. However, even when access is permitted, I'm not sure we serve up all the right attributes anyway... Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
