Bug 6089 - Winbind samr_OpenDomain not possible with Samba 3.2.6+
Summary: Winbind samr_OpenDomain not possible with Samba 3.2.6+
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.2.8
Hardware: Other Windows NT
: P3 normal
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
: 6289 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-02-04 16:40 UTC by Sébastien Prud'homme
Modified: 2009-06-12 04:57 UTC (History)
2 users (show)

See Also:


Attachments
Patch for 3.2.x and above (388 bytes, patch)
2009-04-15 13:19 UTC, Jeremy Allison
no flags Details
Patch for 3.2 only. (3.01 KB, patch)
2009-04-15 16:09 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sébastien Prud'homme 2009-02-04 16:40:04 UTC
Hi,

After upgrading a Samba DC from Samba 3.2.5 to 3.2.6, other Samba member servers can not use Winbind to enumerate domain users and groups (wbinfo -u/-g).

Level 10 log shows that:
[2009/01/27 00:51:24,  5] rpc_server/srv_samr_nt.c:access_check_samr_function(227)
  _samr_OpenDomain: access check ((granted: 0x00020010;  required: 0x00000020)
[2009/01/27 00:51:24,  2] rpc_server/srv_samr_nt.c:access_check_samr_function(246)
  _samr_OpenDomain: ACCESS DENIED (granted: 0x00020010;  required: 0x00000020)
      samr_OpenDomain: struct samr_OpenDomain
          out: struct samr_OpenDomain
              domain_handle            : *
                  domain_handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     : 00000000-0000-0000-0000-000000000000
              result                   : NT_STATUS_ACCESS_DENIED

In Samba 3.2.4, level 1O log was:
[2009/01/26 22:54:39,  5] rpc_server/srv_samr_nt.c:access_check_samr_function(227)
  _samr_OpenDomain: access check ((granted: 0x00020031;  required: 0x00000020)
[2009/01/26 22:54:39, 10] lib/util_seaccess.c:se_access_check(232)
  se_access_check: requested access 0x02000000, for NT token with 6 entries and first sid S-1-5-21-2298372836-1856165796-1024827558-1139.
[2009/01/26 22:54:39,  3] lib/util_seaccess.c:se_access_check(249)
[2009/01/26 22:54:39,  3] lib/util_seaccess.c:se_access_check(252)
  se_access_check: user sid is S-1-5-21-2298372836-1856165796-1024827558-1139
  se_access_check: also S-1-5-21-2298372836-1856165796-1024827558-515
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-22-2-515
[2009/01/26 22:54:39,  4] rpc_server/srv_samr_nt.c:access_check_samr_object(215)
  _samr_OpenDomain: access GRANTED (requested: 0x02000000, granted: 0x000f07ff)
[2009/01/26 22:54:39, 10] rpc_server/srv_samr_nt.c:get_samr_info_by_sid(331)
  get_samr_info_by_sid: created new info for sid S-1-5-21-2298372836-1856165796-1024827558
[2009/01/26 22:54:39,  4] rpc_server/srv_lsa_hnd.c:create_policy_hnd(148)
  Opened policy hnd[2] [000] 00 00 00 00 04 00 00 00  00 00 00 00 7E 49 1F 31  ........ ....~I.1
  [010] 10 17 00 00                                       ....
[2009/01/26 22:54:39,  5] rpc_server/srv_samr_nt.c:_samr_OpenDomain(617)
  _samr_OpenDomain: 617
      samr_OpenDomain: struct samr_OpenDomain
          out: struct samr_OpenDomain
              domain_handle            : *
                  domain_handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     : 00000004-0000-0000-7e49-1f3110170000
              result                   : NT_STATUS_OK

Not sure this new behaviour is right.
Comment 1 Sébastien Prud'homme 2009-02-11 17:43:11 UTC
Problem origin seems to be the map_max_allowed_access function introduced in Samba 3.2.6
Comment 2 Michael 2009-04-15 04:13:18 UTC
Hi there,

same problem with Samba 3.3.3.
"_samr_OpenDomain: ACCESS DENIED (granted: 0x00020010;  required: 0x00000020)"

Greets,
Mikel
Comment 3 Jeremy Allison 2009-04-15 13:07:51 UTC
The problem is with the mapping of generic rights to specific rights when opening the samr connection. Can you give me more of the debug level 10 of the failure. Specifically I'm looking for the rights requested by the client in a _samr_ConnectXX call. I know how to fix this, I just want to make sure it's the *correct* fix to not open samr rights more than I have to.
Jeremy.
Comment 4 Jeremy Allison 2009-04-15 13:19:18 UTC
Created attachment 4068 [details]
Patch for 3.2.x and above

I think this should fix the required mapping. Guenther PLEASE CHECK !!!
Jeremy.
Comment 5 Jeremy Allison 2009-04-15 16:09:32 UTC
Created attachment 4069 [details]
Patch for 3.2 only.

After some teamwork with Guenther I'm pretty sure this is the correct fix.
Please test and confirm.
Jeremy.
Comment 6 Bartlomiej Solarz-Niesluchowski 2009-04-17 14:44:57 UTC
(In reply to comment #5)
> Created an attachment (id=4069) [details]
> Patch for 3.2 only.
How about 3.3.x?

and look here:
https://bugzilla.samba.org/show_bug.cgi?id=6177
and there:
https://bugzilla.samba.org/show_bug.cgi?id=6112

Best regards
Comment 7 Guenther Deschner 2009-04-24 09:01:18 UTC
*** Bug 6289 has been marked as a duplicate of this bug. ***
Comment 8 David Markey 2009-04-24 14:57:14 UTC
running 3.3.4-GIT-c53c875-test i still have issues, i think they should be fixed in this.

Possible Culprits:

[2009/04/24 20:48:46, 10] rpc_client/cli_pipe.c:rpc_api_pipe(842)
  rpc_api_pipe: got PDU len of 72 at offset 0
[2009/04/24 20:48:46, 10] rpc_client/cli_pipe.c:rpc_api_pipe(893)
  rpc_api_pipe: Remote machine KERRY pipe \lsarpc fnum 0x764c returned 40 bytes.
      lsa_EnumTrustDom: struct lsa_EnumTrustDom
          out: struct lsa_EnumTrustDom
              resume_handle            : *
                  resume_handle            : 0xffffffff (4294967295)
              domains                  : *
                  domains: struct lsa_DomainList
                      count                    : 0x00000000 (0)
                      domains                  : *
                          domains: ARRAY(0)
              result                   : NT_STATUS_NO_MORE_ENTRIES





  rpc_api_pipe: got PDU len of 72 at offset 0
[2009/04/24 20:43:46, 10] rpc_client/cli_pipe.c:rpc_api_pipe(893)
  rpc_api_pipe: Remote machine KERRY pipe \samr fnum 0x764b returned 48 bytes.
      samr_QueryDisplayInfo: struct samr_QueryDisplayInfo
          out: struct samr_QueryDisplayInfo
              total_size               : *
                  total_size               : 0x00000000 (0)
              returned_size            : *
                  returned_size            : 0x00000000 (0)
              info                     : *
                  info                     : union samr_DispInfo(case 1)
                  info1: struct samr_DispInfoGeneral
                      count                    : 0x00000000 (0)
                      entries                  : NULL
              result                   : NT_STATUS_ACCESS_DENIED




Comment 9 Guenther Deschner 2009-05-19 07:00:42 UTC
and yet another incarnation of the samr access check bugs.
Comment 10 Guenther Deschner 2009-06-12 04:57:31 UTC
Fixed for next Samba 3.2 release (by reverting to previous behaviour).