Bug 6329 - SeMachineAccountPrivilege doesnt have an effect when trying to join a samba client to a samba domain
Summary: SeMachineAccountPrivilege doesnt have an effect when trying to join a samba c...
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 normal
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-05 20:12 UTC by David Markey
Modified: 2009-06-08 19:11 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Markey 2009-05-05 20:12:12 UTC
/opt/samba/samba-3.4.0pre1/bin/net -U Administrator%password rpc rights list  david38
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

david38 has full rights, But this user cannot join a samba machine to the domain:
/opt/samba/samba-3.4.0pre1/bin/net -U david38%password rpc join
Creation of workstation account failed
Unable to join domain SAMBATEST.


However Administrator(uid=0) is able to do this successfully

/opt/samba/samba-3.4.0pre1/bin/net -U Administrator%password rpc join
Joined domain SAMBATEST.

I have a feeling this is related to 6314.


Log: http://dmarkey.com/~dmarkey/samba3.4pre1/net/samba.david38


Possible Problem:
[2009/05/06 02:09:50, 10] winbindd/winbindd.c:533(process_request)
  process_request: request fn INTERFACE_VERSION
[2009/05/06 02:09:50,  3] winbindd/winbindd_misc.c:754(winbindd_interface_version)
  [23758]: request interface version
[2009/05/06 02:09:50, 10] winbindd/winbindd.c:533(process_request)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2009/05/06 02:09:50,  3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
  [23758]: request location of privileged pipe
[2009/05/06 02:09:50, 10] winbindd/winbindd.c:533(process_request)
  process_request: request fn ALLOCATE_UID
[2009/05/06 02:09:50,  2] winbindd/winbindd_sid.c:613(winbindd_allocate_uid)
  winbindd_allocate_uid: non-privileged access denied!
[2009/05/06 02:09:50,  0] passdb/pdb_ldap.c:5106(ldapsam_create_user)
  ldapsam_create_user: Unable to allocate a new user id: bailing out!
[2009/05/06 02:09:50,  1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
       samr_CreateUser2: struct samr_CreateUser2
          out: struct samr_CreateUser2
              user_handle              : *
                  user_handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     : 00000000-0000-0000-0000-000000000000
              access_granted           : *
                  access_granted           : 0x00000000 (0)
              rid                      : *
                  rid                      : 0x000004b6 (1206)
              result                   : NT_STATUS_UNSUCCESSFUL
Comment 1 David Markey 2009-05-25 06:05:07 UTC
the new samr changes might have fixed this, i'll test today.
Comment 2 David Markey 2009-05-26 05:12:06 UTC
debian5:~# /opt/samba/bin/net -U administrator%password  rpc rights grant  SAMBATEST\\addmachine SeMachineAccountPrivilege
Successfully granted rights.
debian5:~# /opt/samba/bin/net -U  addmachine   rpc join
Enter addmachine's password:
Creation of workstation account failed
User specified does not have administrator privileges
Unable to join domain SAMBATEST-2.
debian5:~# /opt/samba/bin/net -V
Version 3.4.0pre1-GIT-bfe7383-test



Doesnt seem like this is fixed yet.
It does say that the user needs "Administrator" privileges, does this differ from having SeMachineAccountPrivilege?

As a shot in the dark i tried to give "addmachine" all available privilege. that didnt work either.




Comment 3 David Markey 2009-05-26 06:28:28 UTC
net -U administrator%password rpc group addmem "Domain admins" "david"
net -U david rpc join
Enter david's password:
Joined domain SAMBA-34-2.


Adding the user to "Domain admins" does give them the right to add to the domain however.

                              
Comment 4 Jeremy Allison 2009-06-05 17:26:05 UTC
David, can you get me a debug level 10 log from the server when:

opt/samba/bin/net -U  addmachine   rpc join
Enter addmachine's password:
Creation of workstation account failed
User specified does not have administrator privileges

fails please ? Thanks !

Jeremy.
Comment 5 David Markey 2009-06-08 19:11:00 UTC
This bug is invalid.

I was trying to do a PDC loopback join. One needs to be in the "Domain Admins"/512 group, when a user is in the domain admins group this succeeds.

A user with the SeMachineAccountPrivilege is able to join a domain member(non BDC/PDC)

This is all expected behavior