Hi, After upgrading a Samba DC from Samba 3.2.5 to 3.2.6, other Samba member servers can not use Winbind to enumerate domain users and groups (wbinfo -u/-g). Level 10 log shows that: [2009/01/27 00:51:24, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(227) _samr_OpenDomain: access check ((granted: 0x00020010; required: 0x00000020) [2009/01/27 00:51:24, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(246) _samr_OpenDomain: ACCESS DENIED (granted: 0x00020010; required: 0x00000020) samr_OpenDomain: struct samr_OpenDomain out: struct samr_OpenDomain domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_ACCESS_DENIED In Samba 3.2.4, level 1O log was: [2009/01/26 22:54:39, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(227) _samr_OpenDomain: access check ((granted: 0x00020031; required: 0x00000020) [2009/01/26 22:54:39, 10] lib/util_seaccess.c:se_access_check(232) se_access_check: requested access 0x02000000, for NT token with 6 entries and first sid S-1-5-21-2298372836-1856165796-1024827558-1139. [2009/01/26 22:54:39, 3] lib/util_seaccess.c:se_access_check(249) [2009/01/26 22:54:39, 3] lib/util_seaccess.c:se_access_check(252) se_access_check: user sid is S-1-5-21-2298372836-1856165796-1024827558-1139 se_access_check: also S-1-5-21-2298372836-1856165796-1024827558-515 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 se_access_check: also S-1-22-2-515 [2009/01/26 22:54:39, 4] rpc_server/srv_samr_nt.c:access_check_samr_object(215) _samr_OpenDomain: access GRANTED (requested: 0x02000000, granted: 0x000f07ff) [2009/01/26 22:54:39, 10] rpc_server/srv_samr_nt.c:get_samr_info_by_sid(331) get_samr_info_by_sid: created new info for sid S-1-5-21-2298372836-1856165796-1024827558 [2009/01/26 22:54:39, 4] rpc_server/srv_lsa_hnd.c:create_policy_hnd(148) Opened policy hnd[2] [000] 00 00 00 00 04 00 00 00 00 00 00 00 7E 49 1F 31 ........ ....~I.1 [010] 10 17 00 00 .... [2009/01/26 22:54:39, 5] rpc_server/srv_samr_nt.c:_samr_OpenDomain(617) _samr_OpenDomain: 617 samr_OpenDomain: struct samr_OpenDomain out: struct samr_OpenDomain domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000004-0000-0000-7e49-1f3110170000 result : NT_STATUS_OK Not sure this new behaviour is right.
Problem origin seems to be the map_max_allowed_access function introduced in Samba 3.2.6
Hi there, same problem with Samba 3.3.3. "_samr_OpenDomain: ACCESS DENIED (granted: 0x00020010; required: 0x00000020)" Greets, Mikel
The problem is with the mapping of generic rights to specific rights when opening the samr connection. Can you give me more of the debug level 10 of the failure. Specifically I'm looking for the rights requested by the client in a _samr_ConnectXX call. I know how to fix this, I just want to make sure it's the *correct* fix to not open samr rights more than I have to. Jeremy.
Created attachment 4068 [details] Patch for 3.2.x and above I think this should fix the required mapping. Guenther PLEASE CHECK !!! Jeremy.
Created attachment 4069 [details] Patch for 3.2 only. After some teamwork with Guenther I'm pretty sure this is the correct fix. Please test and confirm. Jeremy.
(In reply to comment #5) > Created an attachment (id=4069) [details] > Patch for 3.2 only. How about 3.3.x? and look here: https://bugzilla.samba.org/show_bug.cgi?id=6177 and there: https://bugzilla.samba.org/show_bug.cgi?id=6112 Best regards
*** Bug 6289 has been marked as a duplicate of this bug. ***
running 3.3.4-GIT-c53c875-test i still have issues, i think they should be fixed in this. Possible Culprits: [2009/04/24 20:48:46, 10] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 72 at offset 0 [2009/04/24 20:48:46, 10] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine KERRY pipe \lsarpc fnum 0x764c returned 40 bytes. lsa_EnumTrustDom: struct lsa_EnumTrustDom out: struct lsa_EnumTrustDom resume_handle : * resume_handle : 0xffffffff (4294967295) domains : * domains: struct lsa_DomainList count : 0x00000000 (0) domains : * domains: ARRAY(0) result : NT_STATUS_NO_MORE_ENTRIES rpc_api_pipe: got PDU len of 72 at offset 0 [2009/04/24 20:43:46, 10] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine KERRY pipe \samr fnum 0x764b returned 48 bytes. samr_QueryDisplayInfo: struct samr_QueryDisplayInfo out: struct samr_QueryDisplayInfo total_size : * total_size : 0x00000000 (0) returned_size : * returned_size : 0x00000000 (0) info : * info : union samr_DispInfo(case 1) info1: struct samr_DispInfoGeneral count : 0x00000000 (0) entries : NULL result : NT_STATUS_ACCESS_DENIED
and yet another incarnation of the samr access check bugs.
Fixed for next Samba 3.2 release (by reverting to previous behaviour).