Bug 2509 - Users w/ SeAddUsersPrivilege not able to use Srvtools to add/modify groups without error
Summary: Users w/ SeAddUsersPrivilege not able to use Srvtools to add/modify groups wi...
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.12
Hardware: All Windows XP
: P3 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
URL:
Keywords:
: 2686 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-03-21 20:53 UTC by Doug Campbell
Modified: 2006-02-02 08:40 UTC (History)
3 users (show)

See Also:

Attachments
Level 10 log taken while the issue was recreated. (219.41 KB, text/plain)
2006-02-02 06:29 UTC, James Cort 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Doug Campbell 2005-03-21 20:53:53 UTC 
When using User Manager for Domains on a WinXP machine and connecting to a 
Samba 3.0.11 or 3.0.12 PDC, functionality related to directly working with 
Groups does not work as expected.

Example 1:

Login with account that has been granted "SeAddUsersPrivilege".
Create a Group named "Test"
Click OK

Receive message "Access Denied".

Click OK
Refresh list of groups.

Final Result:  "Test" is now a valid group.


Example 2:

Login with account that has been granted "SeAddUsersPrivilege".
Edit existing Group by double-clicking on it
Add user Tester to Group
Click OK

Receive message "Access Denied".

Final Result: No changes were made.

log.smbd contains errors like the following relating to this bug:

[2005/03/20 11:29:37, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..



Example of something that works:

Login with account that has been granted "SeAddUsersPrivilege".
Double-click on user Tester's entry
Click on Group button
Add Group "Test" to Tester's groups
Click OK

Final Result:  Changes made as expected.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2005-05-11 05:20:57 UTC 
*** Bug 2686 has been marked as a duplicate of this bug. ***
Comment 2 Schlomo Schapiro 2005-06-21 07:50:59 UTC 
I observed the same behaviour using User Manager on a Win2003 SP1 machine
against a Samba 3.0.14a server.

I granted all privileges to the Domain Admins group.

A user (uid <> 0) who is member of the Domain Admins group cannot change group
memberships by double clicking on the group.

In the smbd log I see also
[2005/06/21 05:04:51, 1] lib/smbldap.c:another_ldap_try(1011)
  Connection to LDAP server failed for the 15 try!
[2005/06/21 05:04:52, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2005/06/21 05:04:52, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1971)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:  (Timed out)

This was a pity as I was just showing off the new User Manager compatibility for
non-root users ...
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-09-28 07:32:44 UTC 
has been fixed in 3.0.20a
Comment 4 James Cort 2006-02-02 06:29:42 UTC 
Created attachment 1718 [details]
Level 10 log taken while the issue was recreated.

Samba version 3.0.20b.
Comment 5 James Cort 2006-02-02 06:31:31 UTC 
Example 1 seems to have been fixed, however example 2 continues to pose a problem.

The error message using User Manager for Domains for Win2k3 server on an XP workstation reads:

"The following error occurred changing the properties of the global group Test

The user name could not be found".

This appears to be intermittent - about 5% of the time it works as expected.  The rest of the time it doesn't.
Comment 6 Gerald (Jerry) Carter (dead mail address) 2006-02-02 08:40:43 UTC 
James, please open a new bug report rather than adding log files 
to a closed one.