samba - Apr 2015 - realmd and net rpc privileges

Am 29.04.2015 um 12:58 schrieb L.P.H. van Belle:
> so tell us what are your errors?
>
> It's hard to help without them.
> Please post your smb.conf ( sanitized ) and your resolv.conf and hosts
file.
> and..
> you can try the command :
> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege
-U'SAMDOM\administrator' -S servername.fqdn
>
> greetz,
>
> Louis
I am getting the error listed here: 
https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting:

# net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege 
-U'SAMDOM\administrator'
Enter SAMDOM\administrator's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

resolv.conf is automatically filled by Network Manager here (which gets 
the settings from the DHCP server, which is the DC in my case)
hosts has no entries besides the localhost defaults for 'lo'
hostname returns the fqdn DNS resolsution and ntp sync are perefectly 
fine. Domain users can log on, and get homes. (I don't care about that 
too much, but it's nice to see it working.)

This is the testparm dump, with '#' comments:

[global]
         realm = MYDOMAIN.LOCAL # here is the actual realm value
         server string = Samba Server Version %v
         security = ADS
         username map = /etc/samba/user.map
         kerberos method = system keytab
         log file = /var/log/samba/log.%m
         max log size = 50
         load printers = No
         printcap name = /dev/null
         idmap config * : backend = tdb
         map acl inherit = Yes
         cups options = raw
         vfs objects = acl_xattr

[Acls] # this is my test share
         path = /srv/samba/acls/
         read only = No
Looking at these, it comes to my attention that there is no idmap on 
that machine (I mean, not as a deamon, not as a command). Could that be 
part of the problem?
in the -S option above, does servername.fqdn refer to the DC or to the 
local machine?
Also,  was puzzled if the PW to enter is the root PW or the Domain Amdin 
PW. I tried both, always.

Best,
Sebastian

On 29/04/15 13:10, Sebastian Gabler wrote:
> Am 29.04.2015 um 12:58 schrieb L.P.H. van Belle:
>> so tell us what are your errors?
>>
>> It's hard to help without them.
>> Please post your smb.conf ( sanitized ) and your resolv.conf and 
>> hosts file.
>> and..
>> you can try the command :
>> net rpc rights grant 'SAMDOM\Domain Admins'
SeDiskOperatorPrivilege
>> -U'SAMDOM\administrator' -S servername.fqdn
>>
>> greetz,
>>
>> Louis
> I am getting the error listed here: 
> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting:
>
> # net rpc rights grant 'SAMDOM\Domain Admins'
SeDiskOperatorPrivilege
> -U'SAMDOM\administrator'
> Enter SAMDOM\administrator's password:
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
>
> resolv.conf is automatically filled by Network Manager here (which 
> gets the settings from the DHCP server, which is the DC in my case)
Yes, but what is in resolv.conf ??
Unless it contains something like this:

search <your AD dns domain>
nameserver <your AD DCs ipaddress>

it will probably never work.

> hosts has no entries besides the localhost defaults for 'lo'
Are you running your fileserver as a DHCP client ?

>
> hostname returns the fqdn DNS resolsution and ntp sync are perefectly 
> fine. Domain users can log on, and get homes. (I don't care about that 
> too much, but it's nice to see it working.)
>
> This is the testparm dump, with '#' comments:
>
> [global]
>         realm = MYDOMAIN.LOCAL # here is the actual realm value
>         server string = Samba Server Version %v
>         security = ADS
>         username map = /etc/samba/user.map
>         kerberos method = system keytab
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         load printers = No
>         printcap name = /dev/null
>         idmap config * : backend = tdb
>         map acl inherit = Yes
>         cups options = raw
>         vfs objects = acl_xattr
>
> [Acls] # this is my test share
>         path = /srv/samba/acls/
>         read only = No
> Looking at these, it comes to my attention that there is no idmap on 
> that machine (I mean, not as a deamon, not as a command). Could that 
> be part of the problem?
> in the -S option above, does servername.fqdn refer to the DC or to the 
> local machine?
> Also,  was puzzled if the PW to enter is the root PW or the Domain 
> Amdin PW. I tried both, always.
>
For the -S option, use the AD DC name, or you could use -I <AD DC
ipaddress>

Rowland
> Best,
> Sebastian

There is something to add. Listing existing rights (any rights that is, 
thus using the current, root, user) fails with the same problem:

# net rpc rights list
Enter root's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

I conclude of that net cannot authenticate at all for this purpose, and 
the first step would be to solve that. The question is: How?

Br

Sebastian

Am 29.04.2015 um 14:10 schrieb Sebastian Gabler:
> Am 29.04.2015 um 12:58 schrieb L.P.H. van Belle:
>> so tell us what are your errors?
>>
>> It's hard to help without them.
>> Please post your smb.conf ( sanitized ) and your resolv.conf and 
>> hosts file.
>> and..
>> you can try the command :
>> net rpc rights grant 'SAMDOM\Domain Admins'
SeDiskOperatorPrivilege
>> -U'SAMDOM\administrator' -S servername.fqdn
>>
>> greetz,
>>
>> Louis
> I am getting the error listed here: 
> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting:
>
> # net rpc rights grant 'SAMDOM\Domain Admins'
SeDiskOperatorPrivilege
> -U'SAMDOM\administrator'
> Enter SAMDOM\administrator's password:
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
>
> resolv.conf is automatically filled by Network Manager here (which 
> gets the settings from the DHCP server, which is the DC in my case)
> hosts has no entries besides the localhost defaults for 'lo'
> hostname returns the fqdn DNS resolsution and ntp sync are perefectly 
> fine. Domain users can log on, and get homes. (I don't care about that 
> too much, but it's nice to see it working.)
>
> This is the testparm dump, with '#' comments:
>
> [global]
>         realm = MYDOMAIN.LOCAL # here is the actual realm value
>         server string = Samba Server Version %v
>         security = ADS
>         username map = /etc/samba/user.map
>         kerberos method = system keytab
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         load printers = No
>         printcap name = /dev/null
>         idmap config * : backend = tdb
>         map acl inherit = Yes
>         cups options = raw
>         vfs objects = acl_xattr
>
> [Acls] # this is my test share
>         path = /srv/samba/acls/
>         read only = No
> Looking at these, it comes to my attention that there is no idmap on 
> that machine (I mean, not as a deamon, not as a command). Could that 
> be part of the problem?
> in the -S option above, does servername.fqdn refer to the DC or to the 
> local machine?
> Also,  was puzzled if the PW to enter is the root PW or the Domain 
> Amdin PW. I tried both, always.
>
> Best,
> Sebastian

On 30/04/15 09:05, Sebastian Gabler wrote:
> There is something to add. Listing existing rights (any rights that 
> is, thus using the current, root, user) fails with the same problem:
>
> # net rpc rights list
> Enter root's password:
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
>
> I conclude of that net cannot authenticate at all for this purpose, 
> and the first step would be to solve that. The question is: How?
>
> Br
>
> Sebastian
>
> Am 29.04.2015 um 14:10 schrieb Sebastian Gabler:
>> Am 29.04.2015 um 12:58 schrieb L.P.H. van Belle:
>>> so tell us what are your errors?
>>>
>>> It's hard to help without them.
>>> Please post your smb.conf ( sanitized ) and your resolv.conf and 
>>> hosts file.
>>> and..
>>> you can try the command :
>>> net rpc rights grant 'SAMDOM\Domain Admins'
SeDiskOperatorPrivilege
>>> -U'SAMDOM\administrator' -S servername.fqdn
>>>
>>> greetz,
>>>
>>> Louis
>> I am getting the error listed here: 
>> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting:
>>
>> # net rpc rights grant 'SAMDOM\Domain Admins'
SeDiskOperatorPrivilege
>> -U'SAMDOM\administrator'
>> Enter SAMDOM\administrator's password:
>> Could not connect to server 127.0.0.1
>> The username or password was not correct.
>> Connection failed: NT_STATUS_LOGON_FAILURE
>>
>> resolv.conf is automatically filled by Network Manager here (which 
>> gets the settings from the DHCP server, which is the DC in my case)
>> hosts has no entries besides the localhost defaults for 'lo'
>> hostname returns the fqdn DNS resolsution and ntp sync are perefectly 
>> fine. Domain users can log on, and get homes. (I don't care about 
>> that too much, but it's nice to see it working.)
>>
>> This is the testparm dump, with '#' comments:
>>
>> [global]
>>         realm = MYDOMAIN.LOCAL # here is the actual realm value
>>         server string = Samba Server Version %v
>>         security = ADS
>>         username map = /etc/samba/user.map
>>         kerberos method = system keytab
>>         log file = /var/log/samba/log.%m
>>         max log size = 50
>>         load printers = No
>>         printcap name = /dev/null
>>         idmap config * : backend = tdb
>>         map acl inherit = Yes
>>         cups options = raw
>>         vfs objects = acl_xattr
>>
>> [Acls] # this is my test share
>>         path = /srv/samba/acls/
>>         read only = No
>> Looking at these, it comes to my attention that there is no idmap on 
>> that machine (I mean, not as a deamon, not as a command). Could that 
>> be part of the problem?
>> in the -S option above, does servername.fqdn refer to the DC or to 
>> the local machine?
>> Also,  was puzzled if the PW to enter is the root PW or the Domain 
>> Amdin PW. I tried both, always.
>>
>> Best,
>> Sebastian
>
You need to map root to Administrator, add this line to smb.conf: 
username map = /etc/samba/user.map

Then create the map file, it is just one line:

!root = EXAMPLE\Administrator Administrator administrator

Change 'EXAMPLE' for your workgroup name.

Rowland

Did you adjust your smb.conf already, so can you post your smb.conf again. 
and content of  /etc/samba/user.map  

Greetz, 

Louis

>-----Oorspronkelijk bericht-----
>Van: sequoiamobil at gmx.net 
>[mailto:samba-bounces at lists.samba.org] Namens Sebastian Gabler
>Verzonden: donderdag 30 april 2015 10:06
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] realmd and net rpc privileges
>
>There is something to add. Listing existing rights (any rights 
>that is, 
>thus using the current, root, user) fails with the same problem:
>
># net rpc rights list
>Enter root's password:
>Could not connect to server 127.0.0.1
>The username or password was not correct.
>Connection failed: NT_STATUS_LOGON_FAILURE
>
>I conclude of that net cannot authenticate at all for this 
>purpose, and 
>the first step would be to solve that. The question is: How?
>
>Br
>
>Sebastian
>
>Am 29.04.2015 um 14:10 schrieb Sebastian Gabler:
>> Am 29.04.2015 um 12:58 schrieb L.P.H. van Belle:
>>> so tell us what are your errors?
>>>
>>> It's hard to help without them.
>>> Please post your smb.conf ( sanitized ) and your resolv.conf and 
>>> hosts file.
>>> and..
>>> you can try the command :
>>> net rpc rights grant 'SAMDOM\Domain Admins'
SeDiskOperatorPrivilege
>>> -U'SAMDOM\administrator' -S servername.fqdn
>>>
>>> greetz,
>>>
>>> Louis
>> I am getting the error listed here: 
>> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting:
>>
>> # net rpc rights grant 'SAMDOM\Domain Admins' 
>SeDiskOperatorPrivilege 
>> -U'SAMDOM\administrator'
>> Enter SAMDOM\administrator's password:
>> Could not connect to server 127.0.0.1
>> The username or password was not correct.
>> Connection failed: NT_STATUS_LOGON_FAILURE
>>
>> resolv.conf is automatically filled by Network Manager here (which 
>> gets the settings from the DHCP server, which is the DC in my case)
>> hosts has no entries besides the localhost defaults for 'lo'
>> hostname returns the fqdn DNS resolsution and ntp sync are 
>perefectly 
>> fine. Domain users can log on, and get homes. (I don't care 
>about that 
>> too much, but it's nice to see it working.)
>>
>> This is the testparm dump, with '#' comments:
>>
>> [global]
>>         realm = MYDOMAIN.LOCAL # here is the actual realm value
>>         server string = Samba Server Version %v
>>         security = ADS
>>         username map = /etc/samba/user.map
>>         kerberos method = system keytab
>>         log file = /var/log/samba/log.%m
>>         max log size = 50
>>         load printers = No
>>         printcap name = /dev/null
>>         idmap config * : backend = tdb
>>         map acl inherit = Yes
>>         cups options = raw
>>         vfs objects = acl_xattr
>>
>> [Acls] # this is my test share
>>         path = /srv/samba/acls/
>>         read only = No
>> Looking at these, it comes to my attention that there is no idmap on 
>> that machine (I mean, not as a deamon, not as a command). Could that 
>> be part of the problem?
>> in the -S option above, does servername.fqdn refer to the DC 
>or to the 
>> local machine?
>> Also,  was puzzled if the PW to enter is the root PW or the Domain 
>> Amdin PW. I tried both, always.
>>
>> Best,
>> Sebastian
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>