When trying to rename an XP workstation in a Samba 3.2.4 domain (the operation is done on the workstation itself), i got an access denied error. I use the same administrator account that joined the workstation in the domain. In Samba log files, i got this error: [2008/10/29 11:26:11, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(227) _samr_SetUserInfo: access check ((granted: 0x000d04e4; required: 0x000000b0) [2008/10/29 11:26:11, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(246) _samr_SetUserInfo: ACCESS DENIED (granted: 0x000d04e4; required: 0x000000b0) samr_SetUserInfo: struct samr_SetUserInfo out: struct samr_SetUserInfo result : NT_STATUS_ACCESS_DENIED After reading Samba source code, it seems that the administrator account is missing the SA_RIGHT_USER_ACCT_FLAGS_EXPIRY right.
Can you post the full debug log 10 please, I'd like to see the rights that were assigned to that user handle on open please. Looks to me like we need to add SA_RIGHT_USER_ACCT_FLAGS_EXPIRY to the GENERIC_RIGHTS_USER_WRITE mapping. I've also updated the code for the next 3.2 (and above) releases here, I'd appreciate it if you could test the git tree 3-2-test. Thanks, Jeremy.
(In reply to comment #1) > Can you post the full debug log 10 please, I'd like to see the rights that were > assigned to that user handle on open please. Looks to me like we need to add > SA_RIGHT_USER_ACCT_FLAGS_EXPIRY to the GENERIC_RIGHTS_USER_WRITE mapping. > I've also updated the code for the next 3.2 (and above) releases here, I'd > appreciate it if you could test the git tree 3-2-test. > Thanks, > Jeremy. > Sorry but i have no access to my test environment until mid november. Then i will do the test as soon as possible
It is also required to have a correct "rename user script" configured in smb.conf, but I guess this you already have.
Sébastien Prudhomme have you had a chance to test the new code in the 3.2.x git tree ? Jeremy.
Created attachment 3764 [details] Level 10 log file Log file when trying to rename "mononm1" computer to "monnom2"
(In reply to comment #4) > Sébastien Prudhomme have you had a chance to test the new code in the 3.2.x > git tree ? > Jeremy. > Same problem when using last code source from v-3.2test branch (see the attached log file)
I've also noticed some problems when joining a W2000 workstation in the domain (join is impossible). I got theses access denied: [2008/12/11 09:58:25, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(246) _samr_EnumDomains: ACCESS DENIED (granted: 0x00000002; required: 0x00000010) samr_EnumDomains: struct samr_EnumDomains out: struct samr_EnumDomains resume_handle : * resume_handle : 0x00000000 (0) sam : * sam : NULL num_entries : * num_entries : 0x00000000 (0) result : NT_STATUS_ACCESS_DENIED [2008/12/11 09:58:27, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323) api_rpc_cmds[5].fn == 0x4b92e0 netr_ServerAuthenticate: struct netr_ServerAuthenticate in: struct netr_ServerAuthenticate server_name : * server_name : '\\MILUX-MILUX1' account_name : 'B03NEC0086$' secure_channel_type : SEC_CHAN_WKSTA (2) computer_name : 'B03NEC0086' credentials : * credentials: struct netr_Credential data : ce0f83ba819038df netr_ServerAuthenticate: struct netr_ServerAuthenticate out: struct netr_ServerAuthenticate return_credentials : * return_credentials: struct netr_Credential data : 0000000000000000 result : NT_STATUS_ACCESS_DENIED I've added a log level 10 file. Joigning an XP Pro workstation works fine with the same configuration on the Samba DC. The only workaround i found is not to use Samba privileges at all and use "admin users = +my_admins" in global configuration.
Created attachment 3807 [details] Log level 10 for W2000 join problem
Last tests on Samba 3.2.6 : same problems
A fix has for the access denied on samr setuserinfo level 7 has been pushed to master and v3-4-test (http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=6d1e21bd1b38e8a3c7df3f7fdb8a17fcdd997d42).
(In reply to comment #10) > A fix has for the access denied on samr setuserinfo level 7 has been pushed to > master and v3-4-test > (http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=6d1e21bd1b38e8a3c7df3f7fdb8a17fcdd997d42). arg, level 7 is user rename, machines rename via level 21. so we need to have the same fix there. I keep this in mind and fix soon.
Fixed now in 3-2-test. Please reopen if still an issue.