Johnson, Eric
2014-Jul-04 11:17 UTC
[Samba] "net rpc rights" commands. Connection always fails
Windows 2012 R2 domain at highest level and one rhel6.5 samba server(3.6) Been throwing everything at this for the last few days. I can join to the domain and create ACL enabled shares but this one command I am struggling with. $ net rpc rights grant 'BES\Domain Admins' SeDiskOperatorPrivilege -Uadministrator Enter administrator's password: Could not connect to server 127.0.0.1 Connection failed: NT code 0xc0000418 $ Typing nonsense into the username and password gives the same result. Perhaps a hint is when I (foolishly) did net rpc -S DOMAIN_CONTROLLER rights grant 'BES\user2' SeMachineAccountPrivilege -Uadministrator It worked and user2 was given the privilege ON THE domain controller. Originally I was using sssd/ldap/Kerberos and not winbind, but still had the same error, the machine has been wiped and reinstalled several times I have used a far more basic smb.conf without winbind and vfs/acl, but this is my current one. ******* [global] netbios name = fs6 workgroup = BES security = ADS realm = ebs.private.net encrypt passwords = yes interfaces = 155.198.41.0/24 127.0.0.1 lo em1 bind interfaces only = yes client signing = yes client use spnego = yes kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config BES:backend = ad idmap config BES:schema_mode = rfc2307 idmap config BES:range = 500-40000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes I have even done the command from another linux server into the samba server but it to gives the same error Could not connect to server fs6 <fs6 is the samba server> Connection failed: NT code 0xc0000418 Netstat shows entries for 127.0.0.1 associated with 139 and 445. Haven't got the actual output, but I could get it. I would appreciate it if anyone could give me any tests to check basic functionality. I am thinking that it may be to do with groups, but I would expect different types of errors. ANY basic tests welcome.
Rowland Penny
2014-Jul-04 12:11 UTC
[Samba] "net rpc rights" commands. Connection always fails
On 04/07/14 12:17, Johnson, Eric wrote:> Windows 2012 R2 domain at highest level and one rhel6.5 samba server(3.6) > > Been throwing everything at this for the last few days. I can join to the domain and create ACL enabled shares but this one command I am struggling with. > > $ net rpc rights grant 'BES\Domain Admins' SeDiskOperatorPrivilege -Uadministrator > Enter administrator's password: > Could not connect to server 127.0.0.1This shows that 'net' was trying to connect to an AD DC on localhost, so it will not work unless the command is actually run a samba4 AD DC.> Connection failed: NT code 0xc0000418 > $ > Typing nonsense into the username and password gives the same result. > > Perhaps a hint is when I (foolishly) did > net rpc -S DOMAIN_CONTROLLER rights grant 'BES\user2' SeMachineAccountPrivilege -Uadministrator > It worked and user2 was given the privilege ON THE domain controller.Not so foolish, this is the correct way of running the command on a machine that is joined to the domain, '-S' or '--server=' is the only way that 'net' knows which machine to connect to. Rowland> > Originally I was using sssd/ldap/Kerberos and not winbind, but still had the same error, the machine has been wiped and reinstalled several times > I have used a far more basic smb.conf without winbind and vfs/acl, but this is my current one. > > ******* > [global] > netbios name = fs6 > workgroup = BES > security = ADS > realm = ebs.private.net > encrypt passwords = yes > interfaces = 155.198.41.0/24 127.0.0.1 lo em1 > bind interfaces only = yes > client signing = yes > client use spnego = yes > kerberos method = secrets and keytab > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config BES:backend = ad > idmap config BES:schema_mode = rfc2307 > idmap config BES:range = 500-40000 > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > I have even done the command from another linux server into the samba server but it to gives the same error > Could not connect to server fs6 <fs6 is the samba server> > Connection failed: NT code 0xc0000418 > > Netstat shows entries for 127.0.0.1 associated with 139 and 445. Haven't got the actual output, but I could get it. > > I would appreciate it if anyone could give me any tests to check basic functionality. I am thinking that it may be to do with groups, but I would expect different types of errors. > ANY basic tests welcome. > >