Bug 2686 - usrmgr.exe fail to create groups
usrmgr.exe fail to create groups
Status: RESOLVED DUPLICATE of bug 2509
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.14a
All Linux
: P3 major
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
http://t2.geeks.cl/damn.transporte.lo...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-06 12:01 UTC by Alejandro Mery
Modified: 2005-05-11 05:20 UTC (History)
0 users

See Also:


Attachments
patch to set the access bits on the newly created domain group handle (591 bytes, patch)
2005-05-07 07:43 UTC, Gerald (Jerry) Carter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alejandro Mery 2005-05-06 12:01:14 UTC
trying to create groups using usrmgr.exe to my PDC/LDAP (smbldap-tools 0.8.7-8).

i looks for the account on LDAP, which doesn't exist.
calls smbldap-groupadd successfully, and converts it to sambaGroupMapping.
but fails on:

[2005/05/05 19:48:01, 4] rpc_server/srv_pipe.c:api_rpcTNP(1531)
  api_rpcTNP: samr op 0x15 - api_rpcTNP: rpc command: SAMR_SET_GROUPINFO

due to:

[2005/05/05 19:48:01, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
  Found policy hnd[0] [000] 00 00 00 00 50 00 00 00  00 00 00 00 B1 B0 7A 42 
....P... ......zB
  [010] 39 69 00 00                                       9i..
[2005/05/05 19:48:01, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(201)
  _samr_set_groupinfo: access check ((granted: 0000000000;  required: 0x00000002)
[2005/05/05 19:48:01, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(220)
  _samr_set_groupinfo: ACCESS DENIED (granted: 0000000000;  required: 0x00000002)
[2005/05/05 19:48:01, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000000 samr_io_r_set_groupinfo
[2005/05/05 19:48:01, 5] rpc_parse/parse_prs.c:prs_ntstatus(672)
      0000 status: NT_STATUS_ACCESS_DENIED
[2005/05/05 19:48:01, 5] rpc_server/srv_pipe.c:api_rpcTNP(1578)
  api_rpcTNP: called samr successfully

the account belongs to "Domain Admins" which have the 5 privileges. And SIDs are
properly assigned.
Comment 1 Gerald (Jerry) Carter 2005-05-07 06:12:39 UTC
I know what this is.  I hit a similar bug last week 
when creating local groups.  I'll fix it up on Monday.
Comment 2 Simo Sorce 2005-05-07 06:51:10 UTC
(In reply to comment #1)
> I know what this is.  I hit a similar bug last week 
> when creating local groups.  I'll fix it up on Monday.

Yes I asked Alejandro to put a bug in bugzilla after we found out online it is a
bug in samr_set_group_info not checking for privileges.

If you don't mind I'm going to commit a patch after I finish some tests.

Simo.
Comment 3 Simo Sorce 2005-05-07 07:01:35 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > I know what this is.  I hit a similar bug last week 
> > when creating local groups.  I'll fix it up on Monday.
> 
> Yes I asked Alejandro to put a bug in bugzilla after we found out online it is a
> bug in samr_set_group_info not checking for privileges.
> 
> If you don't mind I'm going to commit a patch after I finish some tests.
> 
> Simo.


Replying myself.
Seem my wording is not clear.
The fix consists in wrapping some calls in become_root()/unbecome_root() pairs.

Simo.
Comment 4 Gerald (Jerry) Carter 2005-05-07 07:42:05 UTC
Simo,

I think you are wrong here.  The problem I believe is that we do 
not set the access granted bits when we create the group.
I just checked the code in _samr_create_dom_group() and it is 
the same case as I fixed in _samr_create_dom_alias() last week.
It has nothing to do with the SeAddUsersPrivilege right.
Comment 5 Gerald (Jerry) Carter 2005-05-07 07:43:01 UTC
Created attachment 1207 [details]
patch to set the access bits on the newly created domain group handle
Comment 6 Gerald (Jerry) Carter 2005-05-11 05:20:55 UTC

*** This bug has been marked as a duplicate of 2509 ***