Prev: [Samba] Can access samba server via HOSTNAME not by IP
Next: [Samba] Samba groups membership
From: Michal Soltys on 30 Jun 2010 13:10
When doing simple:

net rpc file -Untadmin

With ntadmin being a user belonging to properly groupmapped domain admins,
(with rid 512), including cases with ntadmin being rid=500 itself,
I always get:

[2010/06/30 15:06:46.272578, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [ntadmin] -> [ntadmin] -> [ntadmin] succeeded
[2010/06/30 15:06:46.276232, 1] rpc_server/srv_srvsvc_nt.c:1039(_srvsvc_NetFileEnum)
Enumerating files only allowed for administrators


I've peeked into srv_srvsvc_nt.c and the main difference from earlier
samba versions (in the function mentioned in logs) is the addition
of the following check:

if (!nt_token_check_sid(&global_sid_Builtin_Administrators,
p->server_info->ptok)) {
DEBUG(1, ("Enumerating files only allowed for "
"administrators\n"));
return WERR_ACCESS_DENIED;
}

Judging from variables' names it checks if a user belongs to builtin group. Assuming
this kind of check is intended in this place - how to actually make [functionally
working] builtin group ? groupmap allows mapping to local and builtins groups, and
I've also tested some net rpc group variations - but so far to no actual effect.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
 | 
Pages: 1
Prev: [Samba] Can access samba server via HOSTNAME not by IP
Next: [Samba] Samba groups membership