LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-08-2005, 12:58 AM   #1
qtac
LQ Newbie
 
Registered: Dec 2005
Posts: 4

Rep: Reputation: 0
Question Strange problem with local permissions on WinXP using a Samba PDC with LDAP backend


Hi all,

I've an unusual problem on my local network. Several internal users whose accounts have been created recently can not access SSL websites.

A quick explanation of the setup would be useful:
- Windows XP Pro Workstations
- Debian Linux Samba Domain controller with an OpenLDAP backend
- Several different custom groups controlling network file access
- All client machines are identical in hardware and software

When logged in as one of the affected users, Internet Explorer prints a standard "Cannot find server or DNS error" message when one tries to visit ANY SSL website, whether it be local or external.
However, if that user is added to the "Domain Admins" group in LDAP, everything works fine! This rules out any proxy/networking problems.

I've created a new user on the domain, using the default profile and in the default group, to work with in testing. I've logged this user onto many machines but to no avail. If I add this user to all other internal groups, it still doesn't have access to SSL.

After much testing, I've derived that the cause of the problem is that the user has restricted access to the local hard drive. IE can't save/read certificates and SSL doesn't work.
This is reinforced by two tests:
1. If I install Firefox, using exactly the same proxy settings as IE, everything works fine. (stores files elsewhere)
2. I can't view any certificates locally, but I can as a 'privelaged' user (It seems I can't post a link to another site yet, for a screenshot go to office dot blits dot com dot au slash cert.jpg)

This has me scun as there are other users on the system who have EXACTLY the same group memberships but can access SSL sites fine.

I realise that this is a sore topic as it has so much to do with Windows, except I don't seem to be getting any support from the Microsoft world because I'm using Linux to drive things.
Any input would be greatly appreciated!

Thanks in advance
 
Old 12-11-2005, 11:51 PM   #2
qtac
LQ Newbie
 
Registered: Dec 2005
Posts: 4

Original Poster
Rep: Reputation: 0
I figured I might reply to my own post with the solution.

My problem was an invalid security descriptor on the user's registry file (ntuser.dat).
Upon login, the user's registry was loaded, but they couldn't access parts of it, causing various things to fail.

The problem was rectified using SetACL (on sf.net) over the network using the following command on a machine with admin access to the workstation...
SetACL.exe -on "\\machine_name\users\S-1-5-21-4132040453-3518729020-110902423-8162" -ot reg -actn ace -ace "n:DOMAIN.COM\username;p:full"

The long string being the SID of the user, obtained from the LDAP database.

I really hope this helps someone in the future as I've spent weeks trying to work this out!!!

Now I'm onto the task of making a better default_profile as the cause of this was that the default_profile has existing security descriptors referring to a non-existant user.
I'll post my findings.

Last edited by qtac; 12-11-2005 at 11:54 PM.
 
Old 09-08-2009, 11:33 PM   #3
kashifazizawan
Member
 
Registered: Aug 2008
Location: Abbottabad, Pakistan
Distribution: CentOS
Posts: 40
Blog Entries: 13

Rep: Reputation: 15
thanx dear!!
i was facing like that problem...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Set up LDAP an Samba PDC nielchiano Linux - Software 8 02-17-2007 10:03 AM
ldap + samba PDC shane200_ Linux - Networking 0 08-31-2005 01:23 PM
Samba + LDAP PDC help!!!!!!!!!! shane200_ Suse/Novell 1 08-14-2005 09:10 AM
Pdc Con Ldap E Samba 3 levtolstoj Linux - Software 0 11-06-2004 05:06 AM
Samba PDC Problem or LDAP saavik Linux - Networking 2 05-05-2003 03:58 PM


All times are GMT -5. The time now is 06:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration