Re: [Samba] privileges in 3.11?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dmitry Melekhov wrote: | I found a reason. | Problem is that I created tdbsam from smbpasswd | using pdbedit. Now I tried to reproduce this and | here is pdbedit output: | | Processing account root | tdb_update_sam: Failing to store a SAM_ACCOUNT for [root] without a | primary group RID | pdb_getsampwent | | And then I can't modify or add root account with the same result: | | tdb_update_sam: Failing to store a SAM_ACCOUNT for [root] without a | primary group RID | | This problem appears only if groupmap to unixgroup exists: | | ./net groupmap list | | Domain Admins (S-1-5-21-2314933419-357499204-1604414191-512) - root The problem is actually that Windows does not allow a user and group to have the same name. You must assign a different display name to group map entry. This is strange though. I'll look into it some more. | Then if I add groupmapping all works: | | [EMAIL PROTECTED] bin]# ./net groupmap modify | sid=S-1-5-21-1953428550-3027608681-49554636-512 unixgroup=root | Updated mapping entry for Domain Admins | [EMAIL PROTECTED] bin]# ./net rpc rights grant 'TEST\dm' SePrintOperatorPrivilege | Password: | Successfully granted rights. Thanks for the feedback. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCB3grIR7qMdg1EfYRAt1sAJ4i42y7L77l8lJsscUf/f8jF6zpoACg7Jkq alziuwles1xVL46cOdzCciA= =22Dj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] privileges in 3.11?
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dmitry Melekhov wrote: | I just checked latest svn with | svn co svn://svnanon.samba.org/samba/branches/SAMBA_3_0_RELEASE | samba-SAMBA_3_0_RELEASE | | And I still have the same problem. | | net -S dm -U root rpc rights grant 'TEST\dm' SeMachineAccountPrivilege | Password: | Failed to grant privileges for TEST\dm (NT_STATUS_ACCESS_DENIED) | | log.smb is attached... Can you send me your smb.conf, the output from `id dm`, the output from 'net groupmap list', and the output from 'net getlocalsid'? I found a reason. Problem is that I created tdbsam from smbpasswd using pdbedit. Now I tried to reproduce this and here is pdbedit output: Processing account root tdb_update_sam: Failing to store a SAM_ACCOUNT for [root] without a primary group RID pdb_getsampwent And then I can't modify or add root account with the same result: tdb_update_sam: Failing to store a SAM_ACCOUNT for [root] without a primary group RID This problem appears only if groupmap to unixgroup exists: ./net groupmap list Domain Admins (S-1-5-21-2314933419-357499204-1604414191-512) - root If I delete this mapping then I can add root account: Domain Admins (S-1-5-21-1953428550-3027608681-49554636-512) - -1 Unix username:root NT username: Account Flags:[U ] User SID: S-1-5-21-1953428550-3027608681-49554636-1000 Primary Group SID:S-1-5-21-1953428550-3027608681-49554636-1001 Full Name:root Home Directory: \\dm\root HomeDir Drive: Logon Script: Profile Path: \\dm\root\profile Domain: TEST Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Sun, 07 Feb 2106 10:28:15 GMT Kickoff time: Sun, 07 Feb 2106 10:28:15 GMT Password last set:Mon, 07 Feb 2005 11:25:49 GMT Password can change: Mon, 07 Feb 2005 11:25:49 GMT Password must change: Sun, 07 Feb 2106 10:28:15 GMT Last bad password : 0 Bad password count : 0 Logon hours : FF Looks like this problem appears if any groupmapping exists. Then if I add groupmapping all works: [EMAIL PROTECTED] bin]# ./net groupmap modify sid=S-1-5-21-1953428550-3027608681-49554636-512 unixgroup=root Updated mapping entry for Domain Admins [EMAIL PROTECTED] bin]# ./net rpc rights grant 'TEST\dm' SePrintOperatorPrivilege Password: Successfully granted rights. All this is for 3.0.11. Looks like this is problem with tdbsam... I don't know how I created root user in tdbsam before. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] privileges in 3.11?
Gerald (Jerry) Carter wrote: Hello! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dmitry Melekhov wrote: | Certanly, root is member of Domain Admins group :-) well not at least implicitly in the NT_USER_TOKEN (although that might maker things easier if it was). I added root to Domain Admins group... | Anyway, do I understood right that root can do this | with lates code (from SVN)? Yes. The SAMBA_3_0_RELEASE is the staging area for the final 3.0.11 release and this is fixed in that branch. The SAMBA_3_0 tree has moved on past 3.0.11 at this point with more changes. I just checked latest svn with svn co svn://svnanon.samba.org/samba/branches/SAMBA_3_0_RELEASE samba-SAMBA_3_0_RELEASE And I still have the same problem. net -S dm -U root rpc rights grant 'TEST\dm' SeMachineAccountPrivilege Password: Failed to grant privileges for TEST\dm (NT_STATUS_ACCESS_DENIED) log.smb is attached... Thank you! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] privileges in 3.11?
Gerald (Jerry) Carter wrote: | /net -S dm -U dm rpc rights grant 'TEST\mail' | SeMachineAccountPrivilege | Password: | Could not connect to server dm This is an error from the net command itself (not related to rpc rights). Have you look at the level 10 debug log from this second failure? Now (with latest SVN) it looks better : net -S dm -U dm rpc rights grant 'TEST\mail' SeMachineAccountPrivilege Password: Failed to grant privileges for TEST\dm (NT_STATUS_ACCESS_DENIED) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] privileges in 3.11?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dmitry Melekhov wrote: | I just checked latest svn with | svn co svn://svnanon.samba.org/samba/branches/SAMBA_3_0_RELEASE | samba-SAMBA_3_0_RELEASE | | And I still have the same problem. | | net -S dm -U root rpc rights grant 'TEST\dm' SeMachineAccountPrivilege | Password: | Failed to grant privileges for TEST\dm (NT_STATUS_ACCESS_DENIED) | | log.smb is attached... That was just a partial log file. I need to see the initial SMBsessionsetupX call. The only way to get back NT_STATUS_ACCESS_DENIED herre is : if ( user.uid != sec_initial_uid() !nt_token_check_domain_rid( p-pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) { return NT_STATUS_ACCESS_DENIED; } | Now (with latest SVN) it looks better : | | net -S dm -U dm rpc rights grant 'TEST\mail' | SeMachineAccountPrivilege | Password: | Failed to grant privileges for TEST\dm (NT_STATUS_ACCESS_DENIED) Can you send me your smb.conf, the output from `id dm`, the output from 'net groupmap list', and the output from 'net getlocalsid'? Thanks. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCA30EIR7qMdg1EfYRArV/AJ9s+i3noq2D5YhJ4+AqYggxD9JW0ACeO8lJ 4uhRmQhLUqf2HklxgqBBi0A= =WuGB -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] privileges in 3.11?
Hello! I try to assing privileges in 3.11 and get error. If I try to do this from root: net -S dm -U root rpc rights grant 'TEST\mail' SeMachineAccountPrivilege Password: Failed to grant privileges for TEST\dm (NT_STATUS_ACCESS_DENIED) Or, if I do this from user, which is in Domain Admins group: /net -S dm -U dm rpc rights grant 'TEST\mail' SeMachineAccountPrivilege Password: Could not connect to server dm I use tdbsam... Any ideas? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] privileges in 3.11?
Hi I try to assing privileges in 3.11 and get error. If I try to do this from root: net -S dm -U root rpc rights grant 'TEST\mail' SeMachineAccountPrivilege Password: Failed to grant privileges for TEST\dm (NT_STATUS_ACCESS_DENIED) I use tdbsam... I got the same problem. I use the ldap backend. Cheers, Tilo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] privileges in 3.11?
Hi I try to assing privileges in 3.11 and get error. If I try to do this from root: net -S dm -U root rpc rights grant 'TEST\mail' SeMachineAccountPrivilege Password: Failed to grant privileges for TEST\dm (NT_STATUS_ACCESS_DENIED) I use tdbsam... I got the same problem. I use the ldap backend. Here's the debug output: home:/usr/local/sbin # net rpc rights grant tilo SeMachineAccountPrivilege -d 3 [2005/02/03 12:22:36, 3] param/loadparm.c:lp_load(3915) lp_load: refreshing parameters [2005/02/03 12:22:36, 3] param/loadparm.c:init_globals(1314) Initialising global parameters [2005/02/03 12:22:36, 3] param/params.c:pm_process(566) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2005/02/03 12:22:36, 3] param/loadparm.c:do_section(3408) Processing section [global] [2005/02/03 12:22:36, 2] lib/interface.c:add_interface(79) added interface ip=192.168.0.7 bcast=192.168.255.255 nmask=255.255.0.0 [2005/02/03 12:22:36, 2] lib/interface.c:add_interface(79) added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 Password: [2005/02/03 12:22:39, 3] libsmb/cliconnect.c:cli_start_connection(1389) Connecting to host=127.0.0.1 [2005/02/03 12:22:39, 3] lib/util_sock.c:open_socket_out(752) Connecting to 127.0.0.1 at port 445 [2005/02/03 12:22:39, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708) Doing spnego session setup (blob length=58) [2005/02/03 12:22:39, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733) got OID=1 3 6 1 4 1 311 2 2 10 [2005/02/03 12:22:39, 3] libsmb/cliconnect.c:cli_session_setup_spnego(740) got principal=NONE [2005/02/03 12:22:39, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(878) Got challenge flags: [2005/02/03 12:22:39, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60890215 [2005/02/03 12:22:39, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(900) NTLMSSP: Set final flags: [2005/02/03 12:22:39, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60080215 [2005/02/03 12:22:39, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319) NTLMSSP Sign/Seal - Initialising with flags: [2005/02/03 12:22:39, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60080215 [2005/02/03 12:22:39, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181) lsa_io_sec_qos: length c does not match size 8 [2005/02/03 12:22:39, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181) lsa_io_sec_qos: length c does not match size 8 Failed to grant privileges for tilo (NT_STATUS_ACCESS_DENIED) [2005/02/03 12:22:39, 1] utils/net_rpc.c:run_rpc_command(138) rpc command function failed! (NT_STATUS_ACCESS_DENIED) [2005/02/03 12:22:39, 2] utils/net.c:main(859) return code = 1 home:/usr/local/sbin # Cheers, Tilo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] privileges in 3.11?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dmitry Melekhov wrote: | | I try to assing privileges in 3.11 and get error. | If I try to do this from root: | | net -S dm -U root rpc rights grant 'TEST\mail' | SeMachineAccountPrivilege | Password: | Failed to grant privileges for TEST\dm (NT_STATUS_ACCESS_DENIED) In the 3.0.11rpre2 and rc1, only a member of the 'Domain Admins' group could assign rights. Volker pointed out that it was probably confusing not to allow root to manage privileges as well since we allow root to do everything else. So that has been fixed for the final 3.0.11 release. | Or, if I do this from user, which is in Domain Admins group: | | /net -S dm -U dm rpc rights grant 'TEST\mail' | SeMachineAccountPrivilege | Password: | Could not connect to server dm This is an error from the net command itself (not related to rpc rights). Have you look at the level 10 debug log from this second failure? cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCAiKBIR7qMdg1EfYRAq0DAKCqqO/CMIFfF5wqdHEUYCDE7/fgNgCg13Lc 7KDZ7jAsl1BNLzrwCrqS8fs= =wVqL -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] privileges in 3.11?
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dmitry Melekhov wrote: | | I try to assing privileges in 3.11 and get error. | If I try to do this from root: | | net -S dm -U root rpc rights grant 'TEST\mail' | SeMachineAccountPrivilege | Password: | Failed to grant privileges for TEST\dm (NT_STATUS_ACCESS_DENIED) In the 3.0.11rpre2 and rc1, only a member of the 'Domain Admins' group could assign rights. Volker pointed out that it was probably confusing not to allow root to manage privileges as well since we allow root to do everything else. So that has been fixed for the final 3.0.11 release. Certanly, root is member of Domain Admins group :-) Anyway, do I understood right that root can do this with lates code (from SVN)? This is an error from the net command itself (not related to rpc rights). Have you look at the level 10 debug log from this second failure? I'll do this only tomorrow, sorry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] privileges in 3.11?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dmitry Melekhov wrote: | Certanly, root is member of Domain Admins group :-) well not at least implicitly in the NT_USER_TOKEN (although that might maker things easier if it was). | Anyway, do I understood right that root can do this | with lates code (from SVN)? Yes. The SAMBA_3_0_RELEASE is the staging area for the final 3.0.11 release and this is fixed in that branch. The SAMBA_3_0 tree has moved on past 3.0.11 at this point with more changes. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCAihCIR7qMdg1EfYRAraOAJ477GWcyWtq891jmiHPRrQcKzqLtwCfdFbX RC4ky8VT9KU3aDqArjUtoRQ= =A7W+ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba