samba - Mar 2015 - SeDiskOperatorPrivilege and 2012 R2 domain

Mark,

Below xxx.yyy. is my network prefix.

[global]
    workgroup = DOMAIN
    realm = DOMAIN.LOCAL
    server string = Server %v
    security = ADS
    client signing = auto
    client use spnego = yes
    kerberos method = secrets and keytab
    log file = /var/log/samba/log.%m
    log level = 3
    max log size = 50
    load printers = No
    printcap name = /dev/null
    idmap config * : backend = tdb
    hosts allow = 127., xxx.yyy.
    cups options = raw
    vfs objects = acl_xattr
    inherit acls = Yes
    map acl inherit = Yes
    store dos attributes = Yes
    browseable = Yes

Some trials below, getent for the group succeeds and mostly everything is
running fine, I can even log in with domain accounts and set file
permissions that include domain groups and accounts, and with valid file
rights MS terminals can see shares on this server. But giving this
privilege fails with a bit random results.

[me at server]$ getent group "DOMAIN\Domain Admins"
domain admins:*:978600512:me.user,administrator

[me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server
Enter DOMAIN\Administrator's password:
Could not connect to server server
Connection failed: NT_STATUS_LOCK_NOT_GRANTED

[me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
Enter DOMAIN\Administrator's password:
Failed to grant privileges for DOMAIN\Domain Admins
(NT_STATUS_ACCESS_DENIED)

[me at server]$ sudo net rpc rights grant "DOMAIN\Domain Admins"
SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
[sudo] password for me:
Enter DOMAIN\Administrator's password:
Failed to grant privileges for DOMAIN\Domain Admins
(NT_STATUS_ACCESS_DENIED)

-Tom

On Tue, Mar 24, 2015 at 6:10 PM, Marc Muehlfeld <mmuehlfeld at samba.org>
wrote:
> Hello Tom,
>
> Am 24.03.2015 um 08:49 schrieb Tom S?derlund:
>
>> $ net rpc rights grant 'DOMAIN\Domain Admins'
SeDiskOperatorPrivilege
>> -UDOMAIN\\Administrator
>> Enter DOMAIN\Administrator's password:
>> Failed to grant privileges for DOMAIN\Domain Admins
>> (NT_STATUS_ACCESS_DENIED)
>>
>> $ net rpc rights grant 'DOMAIN\Unix-admins'
SeDiskOperatorPrivilege
>> -UDOMAIN\\Administrator
>> Enter DOMAIN\Administrator's password:
>> Could not connect to server 127.0.0.1
>>
>
>
> * Is the group "DOMAIN\Domain Admins" local available? Check with
>   # getent group "DOMAIN\Domain Admins"
>
> * Is Samba listening on localhost? Check "interfaces" parameter
>   in your smb.conf. Or add "-S servername" to your
"net" command.
>
> * Can you post the [global] section of your smb.conf, please?
>
>
>
> Regards,
> Marc
>

Hi Tom,

have a look at this:
https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting

I think this could resolve your problem by using a username mapping on your
member server.

Regards
Tim

Am 24. M?rz 2015 18:34:12 MEZ, schrieb "Tom S?derlund"
<tom.k.soderlund at gmail.com>:
>Mark,
>
>Below xxx.yyy. is my network prefix.
>
>[global]
>    workgroup = DOMAIN
>    realm = DOMAIN.LOCAL
>    server string = Server %v
>    security = ADS
>    client signing = auto
>    client use spnego = yes
>    kerberos method = secrets and keytab
>    log file = /var/log/samba/log.%m
>    log level = 3
>    max log size = 50
>    load printers = No
>    printcap name = /dev/null
>    idmap config * : backend = tdb
>    hosts allow = 127., xxx.yyy.
>    cups options = raw
>    vfs objects = acl_xattr
>    inherit acls = Yes
>    map acl inherit = Yes
>    store dos attributes = Yes
>    browseable = Yes
>
>Some trials below, getent for the group succeeds and mostly everything
>is
>running fine, I can even log in with domain accounts and set file
>permissions that include domain groups and accounts, and with valid
>file
>rights MS terminals can see shares on this server. But giving this
>privilege fails with a bit random results.
>
>[me at server]$ getent group "DOMAIN\Domain Admins"
>domain admins:*:978600512:me.user,administrator
>
>[me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
>SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server
>Enter DOMAIN\Administrator's password:
>Could not connect to server server
>Connection failed: NT_STATUS_LOCK_NOT_GRANTED
>
>[me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
>SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
>Enter DOMAIN\Administrator's password:
>Failed to grant privileges for DOMAIN\Domain Admins
>(NT_STATUS_ACCESS_DENIED)
>
>[me at server]$ sudo net rpc rights grant "DOMAIN\Domain Admins"
>SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
>[sudo] password for me:
>Enter DOMAIN\Administrator's password:
>Failed to grant privileges for DOMAIN\Domain Admins
>(NT_STATUS_ACCESS_DENIED)
>
>-Tom
>
>On Tue, Mar 24, 2015 at 6:10 PM, Marc Muehlfeld <mmuehlfeld at
samba.org>
>wrote:
>
>> Hello Tom,
>>
>> Am 24.03.2015 um 08:49 schrieb Tom S?derlund:
>>
>>> $ net rpc rights grant 'DOMAIN\Domain Admins'
>SeDiskOperatorPrivilege
>>> -UDOMAIN\\Administrator
>>> Enter DOMAIN\Administrator's password:
>>> Failed to grant privileges for DOMAIN\Domain Admins
>>> (NT_STATUS_ACCESS_DENIED)
>>>
>>> $ net rpc rights grant 'DOMAIN\Unix-admins'
SeDiskOperatorPrivilege
>>> -UDOMAIN\\Administrator
>>> Enter DOMAIN\Administrator's password:
>>> Could not connect to server 127.0.0.1
>>>
>>
>>
>> * Is the group "DOMAIN\Domain Admins" local available? Check
with
>>   # getent group "DOMAIN\Domain Admins"
>>
>> * Is Samba listening on localhost? Check "interfaces"
parameter
>>   in your smb.conf. Or add "-S servername" to your
"net" command.
>>
>> * Can you post the [global] section of your smb.conf, please?
>>
>>
>>
>> Regards,
>> Marc
>>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

Tim,

Thanks for the hint. Usermap for root applied, locally made requests fail
now systematically with
"Could not connect to server <server address>
Connection failed: NT_STATUS_LOCK_NOT_GRANTED"

It is kind of improvement :) Random things scare me.

-Tom


On Tue, Mar 24, 2015 at 7:40 PM, Tim <lists at kiuni.de> wrote:
> Hi Tom,
>
> have a look at this:
> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
>
> I think this could resolve your problem by using a username mapping on
> your member server.
>
> Regards
> Tim
>
> Am 24. M?rz 2015 18:34:12 MEZ, schrieb "Tom S?derlund" <
> tom.k.soderlund at gmail.com>:
>
>> Mark,
>>
>> Below xxx.yyy. is my network prefix.
>>
>> [global]
>>     workgroup = DOMAIN
>>     realm = DOMAIN.LOCAL
>>     server string = Server %v
>>     security = ADS
>>     client signing = auto
>>     client use spnego = yes
>>     kerberos method = secrets and keytab
>>     log file = /var/log/samba/log.%m
>>     log level = 3
>>     max log size = 50
>>     load printers = No
>>     printcap name = /dev/null
>>     idmap config * : backend = tdb
>>     hosts allow = 127., xxx.yyy.
>>     cups options = raw
>>     vfs objects = acl_xattr
>>     inherit acls = Yes
>>     map acl inherit = Yes
>>     store dos attributes = Yes
>>     browseable = Yes
>>
>> Some trials below, getent for the group succeeds and mostly everything
is
>> running fine, I can even log in with domain accounts and set file
>> permissions that include domain groups and accounts, and with valid
file
>> rights MS terminals
>> can see shares on this server. But giving this
>> privilege fails with a bit random results.
>>
>> [me at server]$ getent group "DOMAIN\Domain Admins"
>> domain admins:*:978600512:me.user,administrator
>>
>> [me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server
>> Enter DOMAIN\Administrator's password:
>> Could not connect to server server
>> Connection failed: NT_STATUS_LOCK_NOT_GRANTED
>>
>> [me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
>> Enter DOMAIN\Administrator's password:
>> Failed to grant privileges for DOMAIN\Domain Admins
>> (NT_STATUS_ACCESS_DENIED)
>>
>> [me at server]$ sudo net rpc rights grant "DOMAIN\Domain
Admins"
>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
>> [sudo] password for me:
>> Enter DOMAIN\Administrator's password:
>> Failed to grant
>> privileges for DOMAIN\Domain Admins
>> (NT_STATUS_ACCESS_DENIED)
>>
>> -Tom
>>
>> On Tue, Mar 24, 2015 at 6:10 PM, Marc Muehlfeld <mmuehlfeld at
samba.org>
>> wrote:
>>
>>  Hello Tom,
>>>
>>>  Am 24.03.2015 um 08:49 schrieb Tom S?derlund:
>>>
>>>  $ net rpc rights grant 'DOMAIN\Domain Admins'
SeDiskOperatorPrivilege
>>>>  -UDOMAIN\\Administrator
>>>>  Enter DOMAIN\Administrator's password:
>>>>  Failed to grant privileges for DOMAIN\Domain Admins
>>>>  (NT_STATUS_ACCESS_DENIED)
>>>>
>>>>  $ net rpc rights grant 'DOMAIN\Unix-admins'
SeDiskOperatorPrivilege
>>>>  -UDOMAIN\\Administrator
>>>>  Enter DOMAIN\Administrator's password:
>>>>  Could not connect to server 127.0.0.1
>>>
>>>
>>>
>>>
>>>  * Is the group "DOMAIN\Domain Admins" local available?
Check with
>>>    # getent group "DOMAIN\Domain Admins"
>>>
>>>  * Is Samba listening on localhost? Check "interfaces"
parameter
>>>    in your smb.conf. Or add "-S servername" to your
"net" command.
>>>
>>>  * Can you post the [global] section of your smb.conf, please?
>>>
>>>
>>>
>>>  Regards,
>>>  Marc
>>
>>