Bug 5859 - Access denied when renaming an XP workstation in a Samba domain
Access denied when renaming an XP workstation in a Samba domain
Status: RESOLVED FIXED
Product: Samba 3.2
Classification: Unclassified
Component: Domain Control
3.2.6
Other Windows XP
: P3 major
: ---
Assigned To: Guenther Deschner
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-29 06:24 UTC by Sébastien Prud'homme
Modified: 2009-08-06 09:26 UTC (History)
1 user (show)

See Also:


Attachments
Level 10 log file (123.72 KB, application/octet-stream)
2008-11-25 09:27 UTC, Sébastien Prud'homme
no flags Details
Log level 10 for W2000 join problem (52.18 KB, application/octet-stream)
2008-12-11 04:38 UTC, Sébastien Prud'homme
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sébastien Prud'homme 2008-10-29 06:24:36 UTC
When trying to rename an XP workstation in a Samba 3.2.4 domain (the operation is done on the workstation itself), i got an access denied error. I use the same administrator account that joined the workstation in the domain.

In Samba log files, i got this error:

[2008/10/29 11:26:11,  5] rpc_server/srv_samr_nt.c:access_check_samr_function(227)
  _samr_SetUserInfo: access check ((granted: 0x000d04e4;  required: 0x000000b0)
[2008/10/29 11:26:11,  2] rpc_server/srv_samr_nt.c:access_check_samr_function(246)
  _samr_SetUserInfo: ACCESS DENIED (granted: 0x000d04e4;  required: 0x000000b0)
      samr_SetUserInfo: struct samr_SetUserInfo
          out: struct samr_SetUserInfo
              result                   : NT_STATUS_ACCESS_DENIED

After reading Samba source code, it seems that the administrator account is missing the SA_RIGHT_USER_ACCT_FLAGS_EXPIRY right.
Comment 1 Jeremy Allison 2008-10-29 17:03:25 UTC
Can you post the full debug log 10 please, I'd like to see the rights that were assigned to that user handle on open please. Looks to me like we need to add
SA_RIGHT_USER_ACCT_FLAGS_EXPIRY to the GENERIC_RIGHTS_USER_WRITE mapping.
I've also updated the code for the next 3.2 (and above) releases here, I'd appreciate it if you could test the git tree 3-2-test.
Thanks,
Jeremy.
Comment 2 Sébastien Prud'homme 2008-10-31 15:04:30 UTC
(In reply to comment #1)
> Can you post the full debug log 10 please, I'd like to see the rights that were
> assigned to that user handle on open please. Looks to me like we need to add
> SA_RIGHT_USER_ACCT_FLAGS_EXPIRY to the GENERIC_RIGHTS_USER_WRITE mapping.
> I've also updated the code for the next 3.2 (and above) releases here, I'd
> appreciate it if you could test the git tree 3-2-test.
> Thanks,
> Jeremy.
> 

Sorry but i have no access to my test environment until mid november. Then i will do the test as soon as possible
Comment 3 Guenther Deschner 2008-11-06 04:24:38 UTC
It is also required to have a correct "rename user script" configured in smb.conf,  but I guess this you already have.
Comment 4 Jeremy Allison 2008-11-20 15:14:49 UTC
Sébastien Prudhomme  have you had a chance to test the new code in the 3.2.x git tree ?
Jeremy.
Comment 5 Sébastien Prud'homme 2008-11-25 09:27:41 UTC
Created attachment 3764 [details]
Level 10 log file

Log file when trying to rename "mononm1" computer to "monnom2"
Comment 6 Sébastien Prud'homme 2008-11-25 09:28:43 UTC
(In reply to comment #4)
> Sébastien Prudhomme  have you had a chance to test the new code in the 3.2.x
> git tree ?
> Jeremy.
> 

Same problem when using last code source from v-3.2test branch (see the attached log file)
Comment 7 Sébastien Prud'homme 2008-12-11 04:37:12 UTC
I've also noticed some problems when joining a W2000 workstation in the domain (join is impossible). I got theses access denied:

[2008/12/11 09:58:25,  2] rpc_server/srv_samr_nt.c:access_check_samr_function(246)
  _samr_EnumDomains: ACCESS DENIED (granted: 0x00000002;  required: 0x00000010)
      samr_EnumDomains: struct samr_EnumDomains
          out: struct samr_EnumDomains
              resume_handle            : *
                  resume_handle            : 0x00000000 (0)
              sam                      : *
                  sam                      : NULL
              num_entries              : *
                  num_entries              : 0x00000000 (0)
              result                   : NT_STATUS_ACCESS_DENIED

[2008/12/11 09:58:27,  6] rpc_server/srv_pipe.c:api_rpcTNP(2323)
  api_rpc_cmds[5].fn == 0x4b92e0
      netr_ServerAuthenticate: struct netr_ServerAuthenticate
          in: struct netr_ServerAuthenticate
              server_name              : *
                  server_name              : '\\MILUX-MILUX1'
              account_name             : 'B03NEC0086$'
              secure_channel_type      : SEC_CHAN_WKSTA (2)
              computer_name            : 'B03NEC0086'
              credentials              : *
                  credentials: struct netr_Credential
                      data                     : ce0f83ba819038df
      netr_ServerAuthenticate: struct netr_ServerAuthenticate
          out: struct netr_ServerAuthenticate
              return_credentials       : *
                  return_credentials: struct netr_Credential
                      data                     : 0000000000000000
              result                   : NT_STATUS_ACCESS_DENIED

I've added a log level 10 file.

Joigning an XP Pro workstation works fine with the same configuration on the Samba DC.

The only workaround i found is not to use Samba privileges at all and use "admin users = +my_admins" in global configuration.
Comment 8 Sébastien Prud'homme 2008-12-11 04:38:36 UTC
Created attachment 3807 [details]
Log level 10 for W2000 join problem
Comment 9 Sébastien Prud'homme 2008-12-11 04:40:20 UTC
Last tests on Samba 3.2.6 : same problems
Comment 10 Guenther Deschner 2009-05-11 11:53:09 UTC
A fix has for the access denied on samr setuserinfo level 7 has been pushed to master and v3-4-test (http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=6d1e21bd1b38e8a3c7df3f7fdb8a17fcdd997d42).
Comment 11 Guenther Deschner 2009-05-12 08:53:06 UTC
(In reply to comment #10)
> A fix has for the access denied on samr setuserinfo level 7 has been pushed to
> master and v3-4-test
> (http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=6d1e21bd1b38e8a3c7df3f7fdb8a17fcdd997d42).


arg, level 7 is user rename, machines rename via level 21. so we need to have the same fix there. I keep this in mind and fix soon.

Comment 12 Guenther Deschner 2009-08-06 09:26:51 UTC
Fixed now in 3-2-test. Please reopen if still an issue.