Hi there
Trying to solve an issue with samba and windows 7 permissions dialog. Problem is that
sometimes windows 7 permissions dialog is lacking ldap users and groups.
Looks like my problem is related to this one:
https://forums.freenas.org/index.php?threads/users-and-groups-not-showing-up-in-windows-7.46023/
Sadly there is no solution in that thread.
Consider the following setup: linux debian with samba and ldap and several windows 7
hosts. Ldap has user named "test" for my tests.
Test 1
Open test users home via samba: "\\samba\test" in windows 7 explorer. Create any
files/folders there and open permissions dialog, switch to advanced user search. It does
show ldap users and groups on one windows 7 host, but surprisingly does not on another
windows 7 host even though both connect as user "test".
Test 2
Make sure that locally-logged in user belongs to local administrators group. Same result
as with Test 1. One windows host shows all the users and groups from ldap, the other one
does not. Even though that both hosts are logged in with local administrator account and
connecting as same "test" user to samba.
Test 3
Lets take successful windows host and relogin to limited account. Now permissions dialog
also lacks ldap users and groups. Elevating explorer.exe does not help by the way.
Test 4
Make samba more verbose: "log level = 10". Repeat the Test 1. I was overwhelmed while
reading and comparing logfiles, but I notice a subtle difference there: successful windows host generates:
[2017/03/20 19:22:05.622880, 5, pid=20151, effective(10000, 10002), real(10000, 0)]
../source3/auth/token_util.c:639(debug_unix_user_token)
UNIX token of user 10000
Primary group is 10002 and contains 1 supplementary groups
Group[ 0]: 10002
[2017/03/20 19:22:05.622904, 5, pid=20151, effective(10000, 10002), real(10000, 0)]
../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user)
Impersonated user: uid=(10000,10000), gid=(0,10002)
[2017/03/20 19:22:05.622917, 5, pid=20151, effective(10000, 10002), real(10000, 0),
class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request)
Requested samr rpc service
[2017/03/20 19:22:05.622929, 4, pid=20151, effective(10000, 10002), real(10000, 0),
class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP)
api_rpcTNP: samr op 0x7 - api_rpcTNP: rpc command: SAMR_OPENDOMAIN
[2017/03/20 19:22:05.622942, 6, pid=20151, effective(10000, 10002), real(10000, 0),
class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP)
api_rpc_cmds[7].fn == 0x7fa14a7c6ed0
[2017/03/20 19:22:05.622956, 1, pid=20151, effective(10000, 10002), real(10000, 0)]
../librpc/ndr/ndr.c:450(ndr_print_function_debug)
samr_OpenDomain: struct samr_OpenDomain
in: struct samr_OpenDomain
connect_handle : *
connect_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000021-0000-0000-d058-ad01b74e0000
access_mask : 0x00000304 (772)
0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
0: SAMR_DOMAIN_ACCESS_SET_INFO_1
1: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
0: SAMR_DOMAIN_ACCESS_SET_INFO_2
0: SAMR_DOMAIN_ACCESS_CREATE_USER
0: SAMR_DOMAIN_ACCESS_CREATE_GROUP
0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS
0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
1: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
0: SAMR_DOMAIN_ACCESS_SET_INFO_3
While the other gives:
[2017/03/20 18:51:48.939208, 5, pid=4553, effective(10000, 10002), real(10000, 0)]
../source3/auth/token_util.c:639(debug_unix_user_token)
UNIX token of user 10000
Primary group is 10002 and contains 1 supplementary groups
Group[ 0]: 10002
[2017/03/20 18:51:48.939236, 5, pid=4553, effective(10000, 10002), real(10000, 0)]
../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user)
Impersonated user: uid=(10000,10000), gid=(0,10002)
[2017/03/20 18:51:48.939252, 5, pid=4553, effective(10000, 10002), real(10000, 0),
class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1404(api_pipe_request)
Requested samr rpc service
[2017/03/20 18:51:48.939265, 4, pid=4553, effective(10000, 10002), real(10000, 0),
class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1429(api_rpcTNP)
api_rpcTNP: samr op 0x7 - api_rpcTNP: rpc command: SAMR_OPENDOMAIN
[2017/03/20 18:51:48.939281, 6, pid=4553, effective(10000, 10002), real(10000, 0),
class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1469(api_rpcTNP)
api_rpc_cmds[7].fn == 0x7fa14a7c6ed0
[2017/03/20 18:51:48.939298, 1, pid=4553, effective(10000, 10002), real(10000, 0)]
../librpc/ndr/ndr.c:450(ndr_print_function_debug)
samr_OpenDomain: struct samr_OpenDomain
in: struct samr_OpenDomain
connect_handle : *
connect_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000017-0000-0000-cf58-94fac9110000
access_mask : 0x00000200 (512)
0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
0: SAMR_DOMAIN_ACCESS_SET_INFO_1
0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
0: SAMR_DOMAIN_ACCESS_SET_INFO_2
0: SAMR_DOMAIN_ACCESS_CREATE_USER
0: SAMR_DOMAIN_ACCESS_CREATE_GROUP
0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS
0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
0: SAMR_DOMAIN_ACCESS_SET_INFO_3
Is it "0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS" that blocks that windows host from enumerating
ldap users and groups? If that's true, then why is that happening to the same user on a
different hosts? What is the origin of struct samr_OpenDomain and how does samba derive it?
Or am I on a wrong track?
Anyway any advice on this issue is welcome.
Please help me resolve this nasty issue.
Thanks in advance.
--
To unsubscribe from this list go to the following URL and read the instructions:
https://lists.samba.org/mailman/options/samba
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)