samba - Jun 2017 - RPC Server is unavailable

On Thu, 01 Jun 2017 14:55:40 +0200
Supporter via samba <samba at lists.samba.org> wrote:
>> Hello All,
>> 
>> I have big problem. I don't know how can i resolve it.
>> 
>> Design:
>> 
>> |server Samba AD 4.6.2|    <----------    | Samba File Server
>> v4.6.2/v4.6.4 |  <---------  | Windows 7 client |
>> 
>> 
>> -----------------------
>> On Windows & client:
>> 
>>   User can open files in share.
>>   Problem is when he wants to change privileges
>> (Proporties>Security>Edit>Add).
>>   "Application can't open required window...".
>>   Next windows: "The user selection dialog can not be displayed.
RPC
>> Server is unavailable.".
>> 
>> 
>> -----------------------
>> On Samba File Server:
>> 
>> - server is connected to domain:
>> net ads testjoin -k
>> Join is OK
>> - wbinfo -i  (show users correctly),
>> - wbinfo -g  (show groups corrsctly),
>> - users have access to files on share,
>> - files/directories have right privileges
>> 
>> getfacl example_dir
>> # file: example_dir
>> # owner: xxx
>> # group: xxy
>> user::rwx
>> user:root:rwx
>> user:50000:rwx
>> user:50002:rwx
>> user:51151:rwx
>> user:58522:rwx
>> group::---
>> group:50000:rwx
>> group:50002:rwx
>> group:50068:rwx
>> group:58522:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:50000:rwx
>> default:user:50002:rwx
>> default:user:51151:rwx
>> default:user:58522:rwx
>> default:group::---
>> default:group:50000:rwx
>> default:group:50002:rwx
>> default:group:50068:rwx
>> default:group:58522:rwx
>> default:mask::rwx
>> default:other::---
>> 
>> 
> 
> It looks like either /etc/nsswitch.conf or libnss_winbind isn't set up
> correctly, or possibly both.
> You should get names not numbers.
> 
This is my nsswitch file:


passwd:         files ldap compat winbind
group:          files ldap compat winbind
shadow:         files ldap compat
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis


When i use wbinfo i see names and groups.

wbninfo -u

XYZ\user1
XYZ\user2
XYZ\user3
XYZ\user4
...

wbninfo -g

XYZ\group1
XYZ\group2
...



>> 
>> config samba file share:
>> [global]
>>          workgroup = XYZ
>>          server string = %h server (Samba)
>>          realm = XYZ.LOCAL
>> 
>>          password server = pdc.xyz.local
> 
> I suggest you remove the 'password server line.
> 
Ok, i removed.
> 
>>          idmap config * : range = 50000-60000
>>          idmap config * : backend = tdb
>>          idmap config XYZ : range = 50000-60000
>>          idmap config XYZ : backend = rid
> 
> The ranges shouldn't overlap
> 
>> 
>>          idmap config * : unix_primary_group = yes
> 
> I think you can only use the above line with the 'ad' backend.
When i set backet to 'ad' i can't start winbindd

Output: "main: FATAL: Invalid idmap backend ad configured as the default 
backend!"
> 
> Rowland
> 
Best regards,
Supporter 3eb

On Mon, 05 Jun 2017 15:06:05 +0200
Supporter via samba <samba at lists.samba.org> wrote:
> On Thu, 01 Jun 2017 14:55:40 +0200
> Supporter via samba <samba at lists.samba.org> wrote:
> 
> This is my nsswitch file:
> 
> 
> passwd:         files ldap compat winbind
> group:          files ldap compat winbind
> shadow:         files ldap compat
Do you have anything that needs to connect via LDAP ?
If you have what it is it ?
I would remove 'ldap'

'files' and 'compat' basically mean the same thing, so I would
remove
'compat'
> 
> 
> When i use wbinfo i see names and groups.
'wbinfo' show windows users and groups, just because windows users and
groups are shown doesn't mean the Unix OS knows who they are. This is
where Samba comes in.
 
> > 
> >> 
> >>          idmap config * : unix_primary_group = yes
> > 
> > I think you can only use the above line with the 'ad' backend.
> 
> When i set backet to 'ad' i can't start winbindd
> 
> Output: "main: FATAL: Invalid idmap backend ad configured as the
> default backend!"
Yes, I missed that, focussed on 'idmap config' and
'unix_primary_group', what I meant was you can only use
'unix_primary_group' with 'idmap config DOMAIN' and the
'ad' backend,
so you should have removed it. Your 'idmap config block should look
something like this:

    idmap config * : backend = tdb
    idmap config * : range = 2000-9999
    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : range = 10000-999999

Rowland