L.P.H. van Belle
2020-Jul-13 14:55 UTC
[Samba] net rpc rights grant fail to connect 127.0.0.1
Ok, im bit confused, sorry,. Ehen i look that the below output, then i see there are multiple things suspecting to go wrong here. ? For example this is a mismatch..? especialy hostname -i & -I? these should be the same or -I should show both. ? Now, if this is the member i would have expected something like this. /etc/hosts 127.0.0.1 localhost 10.1.1.16?????? E-PLANO.ad.mydomain.br e-plano /etc/resolv.conf search AD.MYDOMAIN.BR nameserver 10.1.1.21 for the AD-DC For the member /etc/hosts 127.0.0.1 localhost 10.1.1.21???????some-DCnameHere.ad.mydomain.br some-DCnameHere ?/etc/resolv.conf search AD.MYDOMAIN.BR nameserver 10.1.1.21 nameserver 200.xx.x.x.xx nameserver 8.8.8.8 and in samba smb.conf a forwarder to the internet if internal DNS is used. My advice if this is a fresh domain verify you AD-DC first. i suspect there is more not correct. debugging this and having 2 servers with possible faulty settings is a hard cookie..? Sorry im the bad news bringer.. Greetz, Louis ? ? Van: Douglas G. Oechsler [mailto:doguibnu at gmail.com] Verzonden: maandag 13 juli 2020 16:29 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] net rpc rights grant fail to connect 127.0.0.1 Hello LPH Em seg., 13 de jul. de 2020 ?s 09:50, L.P.H. van Belle via samba <samba at lists.samba.org> escreveu: (Ah, just finish my message and Rowland also mosted. Well, see this as extra info ) This "should" not be needed.? Run this : https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivileges.sh bash samba-check-SePrivileges.sh And you see all default settings. the answer: The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE Could not connect to server E-PLANO.ad.mydomain.br Other credential caches present, use -A to destroy all ? And you should see: (everyhere) but i picked SeDiskOperatorPrivilege as example SeDiskOperatorPrivilege: ? BUILTIN\Administrators "DOMAIN\Domain Admins" is by default a member of "BUILTIN\Administrators" So im wondering why you need "SAMDOM\Unix Admins" to SeDiskOperatorPrivilege When you can add "SAMDOM\Unix Admins" to the windows group "DOMAIN\Domain Admins"? With the same result in the end. Unix admin having rights like "dom admins" Yes, you are right about observation. I am only follow the samba wiki ? So can you explain it a bit why you want to set it? there might also be a good reason to. But i dont know if thats the case. You told all ? Also, to the source source of this. "could not connect to server 127.0.0.1 connection failed: NT_STATUS_CONNECTION_REFUSED" I see your running the AD-DC as fileserver. Then you cant use the "net" command. NO! I am trying to do the command from Member AD and after it will be AD file server Is the command on the AD-DC server side? ? Can you post the output of : From Member AD ? /etc/hosts 127.0.0.1 localhost 10.1.1.21 ? ? ? E-PLANO.ad.mydomain.br e-plano # special IPv6 addresses ::1 ? ? ? ? ? ? localhost ipv6-localhost ipv6-loopback fe00::0 ? ? ? ? ipv6-localnet ff00::0 ? ? ? ? ipv6-mcastprefix ff02::1 ? ? ? ? ipv6-allnodes ff02::2 ? ? ? ? ipv6-allrouters ff02::3 ? ? ? ? ipv6-allhosts ? /etc/resolv.conf search AD.MYDOMAIN.BR nameserver 10.1.1.21 nameserver 200.X.X.X ? /etc/krb5.conf [libdefaults] default_realm = AD.MYDOMAIN.BR dns_lookup_realm = false dns_lookup_kdc = true ? /etc/nsswitch.conf #passwd: compat winbind passwd: files winbind #group: compat winbind group: files winbind shadow: compat #hosts: files mdns_minimal [NOTFOUND=return] dns hosts: files dns networks: files dns services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files nis publickey: files bootparams: files automount: files nis aliases: files ? /etc/idmapd.conf (if exists) [General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = localdomain [Mapping] Nobody-User = nobody Nobody-Group = nobody ? ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 ? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 ? ? inet MailScanner warning: numerical links are often malicious: 127.0.0.1/8 scope host lo ? ? ? ?valid_lft forever preferred_lft forever ? ? inet6 ::1/128 scope host ? ? ? ?valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 ? ? link/ether 08:00:27:ad:ab:9c brd ff:ff:ff:ff:ff:ff ? ? inet MailScanner warning: numerical links are often malicious: 10.1.1.16/24 brd 10.1.1.255 scope global noprefixroute eth0 ? ? ? ?valid_lft forever preferred_lft forever ? ? inet6 fe80::542f:faae:915d:db4c/64 scope link noprefixroute ? ? ? ?valid_lft forever preferred_lft forever ? hostname -f E-PLANO.ad.mydomain.br hostname -d ad.mydomain.br ? hostname -s e-plano ? hostname -i 10.1.1.21 ? hostname -I 10.1.1.16? And offcourse the smb.conf # Global parameters [global] bind interfaces only = Yes dedicated keytab file = /etc/krb5.keytab interfaces = lo eth0 kerberos method = secrets and keytab log file = /var/log/samba/%m.log realm = AD.MYDOMAIN.BR security = ADS template homedir = /home/%U template shell = /bin/bash username map = /etc/samba/etc/user.map winbind refresh tickets = Yes winbind use default domain = Yes workgroup = MYDOMAIN idmap config mydomain:unix_primary_group = yes idmap config mydomain:unix_nss_info = yes idmap config mydomain:range = 10000-999999 idmap config mydomain:schema_mode = rfc2307 idmap config mydomain:backend = ad idmap config * : range = 3000-7999 idmap config * : backend = tdb map acl inherit = Yes vfs objects = acl_xattr [eplano] path = /srv/eplano read only = No ? Last the ipnummers of your AD-DC, if i was wrong im my asumption above that this is the AD-DC. That should give us all we need to know. Greetz, Louis Thanks attention Douglas ?> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Douglas G. Oechsler via samba > Verzonden: maandag 13 juli 2020 14:13 > Aan: samba at lists.samba.org > Onderwerp: [Samba] net rpc rights grant fail to connect 127.0.0.1 > > Hello! > > I am trying to do the command: > *net rpc rights grant "SAMDOM\Unix Admins" SeDiskOperatorPrivilege -U > "SAMDOM\administrator"* > *could not connect to server 127.0.0.1* > *connection failed: NT_STATUS_CONNECTION_REFUSED* > > All steps from original samba wiki. The distro is Opensuse > 15.1 64 bits, on > Oracle VM, static IP. > I did read several blogs, docs, samba mailing list. Trying many > configurations to solve or connect AD-DC. > > *some steps: ad-dc* > in smb.conf: > bind interfaces only = yes > interfaces = lo eth0 >? dns forwarder = IP-AD-DC DNS > > after command *systemctl status samba-ad-dc* > > jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.800684,? 0] > ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) > jul 13 08:58:09 dclinux samba[2146]:? ? > /usr/sbin/samba_dnsupdate: Traceback > (most recent call last): > jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.800882,? 0] > ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) > jul 13 08:58:09 dclinux samba[2146]:? ? > /usr/sbin/samba_dnsupdate:? ?File > "/usr/sbin/samba_dnsupdate", line 56, in <module> > jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.800934,? 0] > ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) > jul 13 08:58:09 dclinux samba[2146]:? ?/usr/sbin/samba_dnsupdate: > import dns.resolver > jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.800972,? 0] > ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler) > jul 13 08:58:09 dclinux samba[2146]:? ?/usr/sbin/samba_dnsupdate: > ModuleNotFoundError: No module named 'dns' > jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.818318,? 0] > ../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done) > jul 13 08:58:09 dclinux samba[2146]:? * > dnsupdate_nameupdate_done: Failed > DNS update with exit code 1* > > I am lost and do not know what to do. > > Please, someone can help me? > > Thanks so much > > Douglas > -- > To unsubscribe from this list go to the following URL and read the > instructions:? https://lists.samba.org/mailman/options/samba > >-- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba -- Douglas Giovani Oechsler e-mail: MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "oechsler.com.br" doguibnu at gmail.com Prudent?polis - PR
Rowland penny
2020-Jul-13 15:17 UTC
[Samba] net rpc rights grant fail to connect 127.0.0.1
On 13/07/2020 15:55, L.P.H. van Belle via samba wrote:> Ok, im bit confused, sorry,. > Ehen i look that the below output, then i see there are multiple things suspecting to go wrong here. > > For example this is a mismatch..? especialy hostname -i & -I? these should be the same or -I should show both. > > Now, if this is the member i would have expected something like this. > > /etc/hosts > > 127.0.0.1 localhost > 10.1.1.16?????? E-PLANO.ad.mydomain.br e-planoYep, that is where the IP error is coming from. Rowland
Douglas G. Oechsler
2020-Jul-13 17:18 UTC
[Samba] net rpc rights grant fail to connect 127.0.0.1
Hello! Ok! I switch the IP inside Member AD> 127.0.0.1 localhost*> 10.1.1.16 * E-PLANO.ad.mydomain.br e-plano Only to clarify 10.1.1.16 - AD Member - File server 10.1.1.21 - Only AD-DC But, sorry! Follow the wiki https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs The command: # net rpc rights grant "SAMDOM\Unix Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator" Enter SAMDOM\administrator's password: To grant rights, need to do it on the ad-dc side directly? Thank you Em seg., 13 de jul. de 2020 ?s 12:17, Rowland penny via samba < samba at lists.samba.org> escreveu:> > > Now, if this is the member i would have expected something like this. > > > > /etc/hosts > > > > 127.0.0.1 localhost > > 10.1.1.16 E-PLANO.ad.mydomain.br e-plano > Yep, that is where the IP error is coming from. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- *Douglas Giovani Oechsler* e-mail: doguibnu at gmail.com <douglasgiovani at oechsler.com.br> *Prudent?polis - PR*
Douglas G. Oechsler
2020-Jul-14 13:08 UTC
[Samba] net rpc rights grant fail to connect 127.0.0.1
Hello Friends! I start from zero again to configure ad-dc and ad member file server. In ad-dc way seems all working well In *ad member file server *maybe I did wrong configuration. Checking now, I add symbolic link of *libnss_winbind*. But, symbolic link it is only for Samba compiled. I did not compile samba, I use the samba package from distro. Can be this affecting the command: *net rpc right?* Or, Is this stupid Thincking We use Pfsense here, but, checking until now, it does not block some services ad-dc ports. Thanks attention and help Douglas Em seg., 13 de jul. de 2020 ?s 12:17, Rowland penny via samba < samba at lists.samba.org> escreveu:> On 13/07/2020 15:55, L.P.H. van Belle via samba wrote: > > Ok, im bit confused, sorry,. > > Ehen i look that the below output, then i see there are multiple things > suspecting to go wrong here. > > > > For example this is a mismatch.. especialy hostname -i & -I these > should be the same or -I should show both. > > > > Now, if this is the member i would have expected something like this. > > > > /etc/hosts > > > > 127.0.0.1 localhost > > 10.1.1.16 E-PLANO.ad.mydomain.br e-plano > Yep, that is where the IP error is coming from. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >