trying to create groups using usrmgr.exe to my PDC/LDAP (smbldap-tools 0.8.7-8). i looks for the account on LDAP, which doesn't exist. calls smbldap-groupadd successfully, and converts it to sambaGroupMapping. but fails on: [2005/05/05 19:48:01, 4] rpc_server/srv_pipe.c:api_rpcTNP(1531) api_rpcTNP: samr op 0x15 - api_rpcTNP: rpc command: SAMR_SET_GROUPINFO due to: [2005/05/05 19:48:01, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) Found policy hnd[0] [000] 00 00 00 00 50 00 00 00 00 00 00 00 B1 B0 7A 42 ....P... ......zB [010] 39 69 00 00 9i.. [2005/05/05 19:48:01, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(201) _samr_set_groupinfo: access check ((granted: 0000000000; required: 0x00000002) [2005/05/05 19:48:01, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(220) _samr_set_groupinfo: ACCESS DENIED (granted: 0000000000; required: 0x00000002) [2005/05/05 19:48:01, 5] rpc_parse/parse_prs.c:prs_debug(82) 000000 samr_io_r_set_groupinfo [2005/05/05 19:48:01, 5] rpc_parse/parse_prs.c:prs_ntstatus(672) 0000 status: NT_STATUS_ACCESS_DENIED [2005/05/05 19:48:01, 5] rpc_server/srv_pipe.c:api_rpcTNP(1578) api_rpcTNP: called samr successfully the account belongs to "Domain Admins" which have the 5 privileges. And SIDs are properly assigned.
I know what this is. I hit a similar bug last week when creating local groups. I'll fix it up on Monday.
(In reply to comment #1) > I know what this is. I hit a similar bug last week > when creating local groups. I'll fix it up on Monday. Yes I asked Alejandro to put a bug in bugzilla after we found out online it is a bug in samr_set_group_info not checking for privileges. If you don't mind I'm going to commit a patch after I finish some tests. Simo.
(In reply to comment #2) > (In reply to comment #1) > > I know what this is. I hit a similar bug last week > > when creating local groups. I'll fix it up on Monday. > > Yes I asked Alejandro to put a bug in bugzilla after we found out online it is a > bug in samr_set_group_info not checking for privileges. > > If you don't mind I'm going to commit a patch after I finish some tests. > > Simo. Replying myself. Seem my wording is not clear. The fix consists in wrapping some calls in become_root()/unbecome_root() pairs. Simo.
Simo, I think you are wrong here. The problem I believe is that we do not set the access granted bits when we create the group. I just checked the code in _samr_create_dom_group() and it is the same case as I fixed in _samr_create_dom_alias() last week. It has nothing to do with the SeAddUsersPrivilege right.
Created attachment 1207 [details] patch to set the access bits on the newly created domain group handle
*** This bug has been marked as a duplicate of 2509 ***