samba - Feb 2015 - Using rpcclient with my NetApp fails

Hello:

I have a Netapp 8.2.2P1 7-Mode connected to my Active Directory domain
and the following rpcclient command on CentOS 6.5 is bailing on the
following error:

could not obtain sid for domain QUEST
error: NT_STATUS_ACCESS_DENIED

I've tested this with all stable version of 3.6 etc. I have not tried
the python based rpcclient command yet though.

But after a bit of debugging, it seems that the fetch_machine_sid()
function is failing to open up the LSA pipe using the domain's
administrative credentials.

I have verified that the netapp is joined to the domain, can perform
SID lookups, as well as have its own "administrators" group see RID
500 and have full access to the netapp.

If I comment out fetch_machine_sid() from rpcclient, everything works
fine (I get 'netshareenum' output from all supported levels).

Does anyone have any idea why samba and my NetApp aren't playing nice?
More specifically, does anyone know why the LSA open policy stuff
would fail on a NetApp when using domain administrator creds (RID
500)?

-aps

On Tue, Feb 17, 2015 at 12:42:20PM -0500, pisymbol .
wrote:
> Hello:
> 
> I have a Netapp 8.2.2P1 7-Mode connected to my Active Directory domain
> and the following rpcclient command on CentOS 6.5 is bailing on the
> following error:
> 
> could not obtain sid for domain QUEST
> error: NT_STATUS_ACCESS_DENIED
> 
> I've tested this with all stable version of 3.6 etc. I have not tried
> the python based rpcclient command yet though.
> 
> But after a bit of debugging, it seems that the fetch_machine_sid()
> function is failing to open up the LSA pipe using the domain's
> administrative credentials.
> 
> I have verified that the netapp is joined to the domain, can perform
> SID lookups, as well as have its own "administrators" group see
RID
> 500 and have full access to the netapp.
> 
> If I comment out fetch_machine_sid() from rpcclient, everything works
> fine (I get 'netshareenum' output from all supported levels).
> 
> Does anyone have any idea why samba and my NetApp aren't playing nice?
> More specifically, does anyone know why the LSA open policy stuff
> would fail on a NetApp when using domain administrator creds (RID
> 500)?
Log a bug at bugzilla.samba.org and upload an rpcclient log
+ wireshare trace of this running successfully against Windows
and failing against NetApp please !

On Wed, Feb 18, 2015 at 5:47 PM, Jeremy Allison <jra at samba.org>
wrote:
> On Tue, Feb 17, 2015 at 12:42:20PM -0500, pisymbol . wrote:
>> Hello:
>>
>> I have a Netapp 8.2.2P1 7-Mode connected to my Active Directory domain
>> and the following rpcclient command on CentOS 6.5 is bailing on the
>> following error:
>>
>> could not obtain sid for domain QUEST
>> error: NT_STATUS_ACCESS_DENIED
>>
>> I've tested this with all stable version of 3.6 etc. I have not
tried
>> the python based rpcclient command yet though.
>>
>> But after a bit of debugging, it seems that the fetch_machine_sid()
>> function is failing to open up the LSA pipe using the domain's
>> administrative credentials.
>>
>> I have verified that the netapp is joined to the domain, can perform
>> SID lookups, as well as have its own "administrators" group
see RID
>> 500 and have full access to the netapp.
>>
>> If I comment out fetch_machine_sid() from rpcclient, everything works
>> fine (I get 'netshareenum' output from all supported levels).
>>
>> Does anyone have any idea why samba and my NetApp aren't playing
nice?
>> More specifically, does anyone know why the LSA open policy stuff
>> would fail on a NetApp when using domain administrator creds (RID
>> 500)?
>
> Log a bug at bugzilla.samba.org and upload an rpcclient log
> + wireshare trace of this running successfully against Windows
> and failing against NetApp please !
I've submitted a bug report with NetApp as well.

Jeremy, a more samba-ish related question though:

Why does rpcclient need to call fetch_machine_sid() and subsequently
try to open up the LSA for every type of RPC? i.e. The 'netshareenum'
calls works fine if I just comment this line out.

Thanks for at least reading my post!

-aps