It's look like bug #281. I download Samba_3_0 sources at 10 Nov 2003 to fix this problem and It work - I can set permissions for shares. Then I log in as member of Domain Admin group on WinME workstation, then run a User Manager for Domains (from NEXUS) on WinME and connect to my PDC, I can see the list of users and non-builtin groups, but I can not see the user properties. The User Manager say "The following error occured accessing the properties of user <username> Access denied The user properties cannot be edited or viewed at this time" In Samba logs [2003/11/11 12:15:32, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1612) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (Insufficient access)smbldap_open: cannot access LDAP when not root.. [2003/11/11 12:15:32, 1] lib/smbldap.c:smbldap_retry_open(888) Connection to LDAP Server failed for the 1 try! [2003/11/11 12:15:32, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2048) ldapsam_setsamgrent: LDAP search failed: Insufficient access [2003/11/11 12:15:32, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2113) ldapsam_enum_group_mapping: Unable to open passdb
I'm reopening bug 281 so we can track the history better. *** This bug has been marked as a duplicate of 281 ***
Reopening this one. The original report is actually not an ldap permission issue. I get the same error from 2k + usrmgr and 9x+nexus. _samr_open_user: access check ((granted: 0x00020381; required: 0x00000200) se_access_check: requested access 0x000601bf, for NT token with 7 entries and first sid S-1-5-21-2547222302-1596225915-2414751004-2560. user sid is S-1-5-21-2547222302-1596225915-2414751004-2560 also S-1-5-21-2547222302-1596225915-2414751004-513 also S-1-1-0 also S-1-5-2 also S-1-5-11 also S-1-5-21-2547222302-1596225915-2414751004-1201 also S-1-5-21-2547222302-1596225915-2414751004-512 ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask = 2035b, current desired = 601bf ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask = f07ff, current desired = 400a4 ACE 2: type 0, flags = 0x00, SID = S-1-5-32-548 mask = f07ff, current desired = 400a4 ACE 3: type 0, flags = 0x00, SID = S-1-5-21-2547222302-1596225915-2414751004-2560 mask = 20044, current desired = 400a4 access (601bf) denied. _samr_open_user: ACCESS DENIED (requested: 0x000601bf) 000000 samr_io_r_open_user 000000 smb_io_pol_hnd user_pol 0000 data1: 00000000 0004 data2: 00000000 0008 data3: 0000 000a data4: 0000 000c data5: 00 00 00 00 00 00 00 00 0014 status: NT_STATUS_ACCESS_DENIED
ok. This works from NT4 (logged on as root - member of domain admin).
reseting target milestone. 3.0.1 has been frozen. WIll have to re-evaluate these.
I'm still seeing this behavior in the most current debian 3.0.2a-1 package" [2004/03/30 14:15:04, 5] lib/smbldap.c:smbldap_search(919) smbldap_search: base => [dc=datasynapse,dc=com], filter => [(&(uid=jennifer$)(objectclass=sambaSamAccount))], scope => [2] [2004/03/30 14:15:04, 0] lib/smbldap.c:smbldap_open(807) smbldap_open: cannot access LDAP when not root.. [2004/03/30 14:15:04, 1] lib/smbldap.c:smbldap_retry_open(896) Connection to LDAP Server failed for the 1 try! [2004/03/30 14:15:04, 0] lib/smbldap.c:smbldap_search_suffix(1113) smbldap_search_suffix: Problem during the LDAP search: (Insufficient access)
the smbldap_open() error is more likely related to bug 1023. This report here is due to a bad samr_access_check.
closing as fixed in 3.0.11 (possibly earlier).
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.