Bug 2509 - Users w/ SeAddUsersPrivilege not able to use Srvtools to add/modify groups without error
Users w/ SeAddUsersPrivilege not able to use Srvtools to add/modify groups wi...
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.12
All Windows XP
: P3 normal
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
:
: 2686 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-21 20:53 UTC by Doug Campbell
Modified: 2006-02-02 08:40 UTC (History)
3 users (show)

See Also:


Attachments
Level 10 log taken while the issue was recreated. (219.41 KB, text/plain)
2006-02-02 06:29 UTC, James Cort
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Doug Campbell 2005-03-21 20:53:53 UTC
When using User Manager for Domains on a WinXP machine and connecting to a 
Samba 3.0.11 or 3.0.12 PDC, functionality related to directly working with 
Groups does not work as expected.

Example 1:

Login with account that has been granted "SeAddUsersPrivilege".
Create a Group named "Test"
Click OK

Receive message "Access Denied".

Click OK
Refresh list of groups.

Final Result:  "Test" is now a valid group.


Example 2:

Login with account that has been granted "SeAddUsersPrivilege".
Edit existing Group by double-clicking on it
Add user Tester to Group
Click OK

Receive message "Access Denied".

Final Result: No changes were made.

log.smbd contains errors like the following relating to this bug:

[2005/03/20 11:29:37, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..



Example of something that works:

Login with account that has been granted "SeAddUsersPrivilege".
Double-click on user Tester's entry
Click on Group button
Add Group "Test" to Tester's groups
Click OK

Final Result:  Changes made as expected.
Comment 1 Gerald (Jerry) Carter 2005-05-11 05:20:57 UTC
*** Bug 2686 has been marked as a duplicate of this bug. ***
Comment 2 Schlomo Schapiro 2005-06-21 07:50:59 UTC
I observed the same behaviour using User Manager on a Win2003 SP1 machine
against a Samba 3.0.14a server.

I granted all privileges to the Domain Admins group.

A user (uid <> 0) who is member of the Domain Admins group cannot change group
memberships by double clicking on the group.

In the smbd log I see also
[2005/06/21 05:04:51, 1] lib/smbldap.c:another_ldap_try(1011)
  Connection to LDAP server failed for the 15 try!
[2005/06/21 05:04:52, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2005/06/21 05:04:52, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1971)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:  (Timed out)

This was a pity as I was just showing off the new User Manager compatibility for
non-root users ...
Comment 3 Gerald (Jerry) Carter 2005-09-28 07:32:44 UTC
has been fixed in 3.0.20a
Comment 4 James Cort 2006-02-02 06:29:42 UTC
Created attachment 1718 [details]
Level 10 log taken while the issue was recreated.

Samba version 3.0.20b.
Comment 5 James Cort 2006-02-02 06:31:31 UTC
Example 1 seems to have been fixed, however example 2 continues to pose a problem.

The error message using User Manager for Domains for Win2k3 server on an XP workstation reads:

"The following error occurred changing the properties of the global group Test

The user name could not be found".

This appears to be intermittent - about 5% of the time it works as expected.  The rest of the time it doesn't.
Comment 6 Gerald (Jerry) Carter 2006-02-02 08:40:43 UTC
James, please open a new bug report rather than adding log files 
to a closed one.