Bug 751 - Can't display user properties in NEXUS/usrmgr.exe (samr access check)
Summary: Can't display user properties in NEXUS/usrmgr.exe (samr access check)
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.0
Hardware: All FreeBSD
: P3 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
Depends on:
Blocks: 807
  Show dependency treegraph
Reported: 2003-11-11 00:41 UTC by Pavel V.Zheltobryukhov
Modified: 2005-08-24 10:19 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Pavel V.Zheltobryukhov 2003-11-11 00:41:26 UTC
It's look like bug #281. I download Samba_3_0 sources at 10 Nov 2003 to fix this
problem and It work - I can set permissions for shares. Then I log in as member
of Domain Admin group on WinME workstation, then
run a User Manager for Domains (from NEXUS) on WinME  and connect to my PDC, I
can see the list
of users and non-builtin groups, but I can not see the user properties. The User
Manager say
"The following error occured accessing the properties of user <username>
Access denied
The user properties cannot be edited or viewed at this time"

In Samba logs

[2003/11/11 12:15:32, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1612)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error: 
access)smbldap_open: cannot access LDAP when not root..
[2003/11/11 12:15:32, 1] lib/smbldap.c:smbldap_retry_open(888)
  Connection to LDAP Server failed for the 1 try!
[2003/11/11 12:15:32, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2048)
  ldapsam_setsamgrent: LDAP search failed: Insufficient access
[2003/11/11 12:15:32, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2113)
  ldapsam_enum_group_mapping: Unable to open passdb
Comment 1 Gerald (Jerry) Carter (dead mail address) 2003-11-24 06:44:50 UTC
I'm reopening bug 281 so we can track the history

*** This bug has been marked as a duplicate of 281 ***
Comment 2 Gerald (Jerry) Carter (dead mail address) 2003-11-24 09:29:23 UTC
Reopening this one.  The original report is actually 
not an ldap permission issue.  I get the same error 
from 2k + usrmgr and 9x+nexus.

_samr_open_user: access check ((granted: 0x00020381;  required: 0x00000200)
se_access_check: requested access 0x000601bf, for NT token with 7 
entries and first sid S-1-5-21-2547222302-1596225915-2414751004-2560.
 user sid is S-1-5-21-2547222302-1596225915-2414751004-2560
 also S-1-5-21-2547222302-1596225915-2414751004-513
 also S-1-1-0
 also S-1-5-2
 also S-1-5-11
 also S-1-5-21-2547222302-1596225915-2414751004-1201
 also S-1-5-21-2547222302-1596225915-2414751004-512

 ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask = 2035b, current 
  desired = 601bf
 ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask = f07ff, current 
  desired = 400a4
 ACE 2: type 0, flags = 0x00, SID = S-1-5-32-548 mask = f07ff, current 
  desired = 400a4
 ACE 3: type 0, flags = 0x00, SID = 
  S-1-5-21-2547222302-1596225915-2414751004-2560 mask = 20044, 
  current desired = 400a4
  access (601bf) denied.
_samr_open_user: ACCESS DENIED  (requested: 0x000601bf)
000000 samr_io_r_open_user
    000000 smb_io_pol_hnd user_pol
        0000 data1: 00000000
        0004 data2: 00000000
        0008 data3: 0000
        000a data4: 0000
        000c data5: 00 00 00 00 00 00 00 00
    0014 status: NT_STATUS_ACCESS_DENIED
Comment 3 Gerald (Jerry) Carter (dead mail address) 2003-12-03 20:20:04 UTC
ok.  This works from NT4 (logged on as root - member of domain admin).
Comment 4 Gerald (Jerry) Carter (dead mail address) 2003-12-12 08:27:47 UTC
reseting target milestone.  3.0.1 has been frozen.  WIll have to 
re-evaluate these.
Comment 5 Michael D. Jurney 2004-03-30 11:23:06 UTC
I'm still seeing this behavior in the most current debian 3.0.2a-1 package"

[2004/03/30 14:15:04, 5] lib/smbldap.c:smbldap_search(919)
  smbldap_search: base => [dc=datasynapse,dc=com], filter =>
[(&(uid=jennifer$)(objectclass=sambaSamAccount))], scope => [2]
[2004/03/30 14:15:04, 0] lib/smbldap.c:smbldap_open(807)
  smbldap_open: cannot access LDAP when not root..
[2004/03/30 14:15:04, 1] lib/smbldap.c:smbldap_retry_open(896)
  Connection to LDAP Server failed for the 1 try!
[2004/03/30 14:15:04, 0] lib/smbldap.c:smbldap_search_suffix(1113)
  smbldap_search_suffix: Problem during the LDAP search:  (Insufficient access)
Comment 6 Gerald (Jerry) Carter (dead mail address) 2004-03-31 13:58:51 UTC
the smbldap_open() error is more likely related to 
bug 1023.  This report here is due to a bad samr_access_check.
Comment 7 Gerald (Jerry) Carter (dead mail address) 2005-02-07 10:48:06 UTC
closing as fixed in 3.0.11 (possibly earlier).
Comment 8 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:19:05 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.