Hello: I have a Netapp 8.2.2P1 7-Mode connected to my Active Directory domain and the following rpcclient command on CentOS 6.5 is bailing on the following error: could not obtain sid for domain QUEST error: NT_STATUS_ACCESS_DENIED I've tested this with all stable version of 3.6 etc. I have not tried the python based rpcclient command yet though. But after a bit of debugging, it seems that the fetch_machine_sid() function is failing to open up the LSA pipe using the domain's administrative credentials. I have verified that the netapp is joined to the domain, can perform SID lookups, as well as have its own "administrators" group see RID 500 and have full access to the netapp. If I comment out fetch_machine_sid() from rpcclient, everything works fine (I get 'netshareenum' output from all supported levels). Does anyone have any idea why samba and my NetApp aren't playing nice? More specifically, does anyone know why the LSA open policy stuff would fail on a NetApp when using domain administrator creds (RID 500)? -aps
On Tue, Feb 17, 2015 at 12:42:20PM -0500, pisymbol . wrote:> Hello: > > I have a Netapp 8.2.2P1 7-Mode connected to my Active Directory domain > and the following rpcclient command on CentOS 6.5 is bailing on the > following error: > > could not obtain sid for domain QUEST > error: NT_STATUS_ACCESS_DENIED > > I've tested this with all stable version of 3.6 etc. I have not tried > the python based rpcclient command yet though. > > But after a bit of debugging, it seems that the fetch_machine_sid() > function is failing to open up the LSA pipe using the domain's > administrative credentials. > > I have verified that the netapp is joined to the domain, can perform > SID lookups, as well as have its own "administrators" group see RID > 500 and have full access to the netapp. > > If I comment out fetch_machine_sid() from rpcclient, everything works > fine (I get 'netshareenum' output from all supported levels). > > Does anyone have any idea why samba and my NetApp aren't playing nice? > More specifically, does anyone know why the LSA open policy stuff > would fail on a NetApp when using domain administrator creds (RID > 500)?Log a bug at bugzilla.samba.org and upload an rpcclient log + wireshare trace of this running successfully against Windows and failing against NetApp please !
On Wed, Feb 18, 2015 at 5:47 PM, Jeremy Allison <jra at samba.org> wrote:> On Tue, Feb 17, 2015 at 12:42:20PM -0500, pisymbol . wrote: >> Hello: >> >> I have a Netapp 8.2.2P1 7-Mode connected to my Active Directory domain >> and the following rpcclient command on CentOS 6.5 is bailing on the >> following error: >> >> could not obtain sid for domain QUEST >> error: NT_STATUS_ACCESS_DENIED >> >> I've tested this with all stable version of 3.6 etc. I have not tried >> the python based rpcclient command yet though. >> >> But after a bit of debugging, it seems that the fetch_machine_sid() >> function is failing to open up the LSA pipe using the domain's >> administrative credentials. >> >> I have verified that the netapp is joined to the domain, can perform >> SID lookups, as well as have its own "administrators" group see RID >> 500 and have full access to the netapp. >> >> If I comment out fetch_machine_sid() from rpcclient, everything works >> fine (I get 'netshareenum' output from all supported levels). >> >> Does anyone have any idea why samba and my NetApp aren't playing nice? >> More specifically, does anyone know why the LSA open policy stuff >> would fail on a NetApp when using domain administrator creds (RID >> 500)? > > Log a bug at bugzilla.samba.org and upload an rpcclient log > + wireshare trace of this running successfully against Windows > and failing against NetApp please !I've submitted a bug report with NetApp as well. Jeremy, a more samba-ish related question though: Why does rpcclient need to call fetch_machine_sid() and subsequently try to open up the LSA for every type of RPC? i.e. The 'netshareenum' calls works fine if I just comment this line out. Thanks for at least reading my post! -aps
Apparently Analagous Threads
- Using rpcclient with my NetApp fails
- Regression: The 'net' command is now failing to login (UNKNOWN ENUM VALUE 1003?)
- rpcclient netshareenum 502 causes SEGV
- Regression: The 'net' command is now failing to login (UNKNOWN ENUM VALUE 1003?)
- Fetching ACL data from extended attributes