samba - Mar 2015 - SeDiskOperatorPrivilege and 2012 R2 domain

Tim,

Thanks for the hint. Usermap for root applied, locally made requests fail
now systematically with
"Could not connect to server <server address>
Connection failed: NT_STATUS_LOCK_NOT_GRANTED"

It is kind of improvement :) Random things scare me.

-Tom


On Tue, Mar 24, 2015 at 7:40 PM, Tim <lists at kiuni.de> wrote:
> Hi Tom,
>
> have a look at this:
> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
>
> I think this could resolve your problem by using a username mapping on
> your member server.
>
> Regards
> Tim
>
> Am 24. M?rz 2015 18:34:12 MEZ, schrieb "Tom S?derlund" <
> tom.k.soderlund at gmail.com>:
>
>> Mark,
>>
>> Below xxx.yyy. is my network prefix.
>>
>> [global]
>>     workgroup = DOMAIN
>>     realm = DOMAIN.LOCAL
>>     server string = Server %v
>>     security = ADS
>>     client signing = auto
>>     client use spnego = yes
>>     kerberos method = secrets and keytab
>>     log file = /var/log/samba/log.%m
>>     log level = 3
>>     max log size = 50
>>     load printers = No
>>     printcap name = /dev/null
>>     idmap config * : backend = tdb
>>     hosts allow = 127., xxx.yyy.
>>     cups options = raw
>>     vfs objects = acl_xattr
>>     inherit acls = Yes
>>     map acl inherit = Yes
>>     store dos attributes = Yes
>>     browseable = Yes
>>
>> Some trials below, getent for the group succeeds and mostly everything
is
>> running fine, I can even log in with domain accounts and set file
>> permissions that include domain groups and accounts, and with valid
file
>> rights MS terminals
>> can see shares on this server. But giving this
>> privilege fails with a bit random results.
>>
>> [me at server]$ getent group "DOMAIN\Domain Admins"
>> domain admins:*:978600512:me.user,administrator
>>
>> [me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server
>> Enter DOMAIN\Administrator's password:
>> Could not connect to server server
>> Connection failed: NT_STATUS_LOCK_NOT_GRANTED
>>
>> [me at server]$ net rpc rights grant "DOMAIN\Domain Admins"
>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
>> Enter DOMAIN\Administrator's password:
>> Failed to grant privileges for DOMAIN\Domain Admins
>> (NT_STATUS_ACCESS_DENIED)
>>
>> [me at server]$ sudo net rpc rights grant "DOMAIN\Domain
Admins"
>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server.domain.local
>> [sudo] password for me:
>> Enter DOMAIN\Administrator's password:
>> Failed to grant
>> privileges for DOMAIN\Domain Admins
>> (NT_STATUS_ACCESS_DENIED)
>>
>> -Tom
>>
>> On Tue, Mar 24, 2015 at 6:10 PM, Marc Muehlfeld <mmuehlfeld at
samba.org>
>> wrote:
>>
>>  Hello Tom,
>>>
>>>  Am 24.03.2015 um 08:49 schrieb Tom S?derlund:
>>>
>>>  $ net rpc rights grant 'DOMAIN\Domain Admins'
SeDiskOperatorPrivilege
>>>>  -UDOMAIN\\Administrator
>>>>  Enter DOMAIN\Administrator's password:
>>>>  Failed to grant privileges for DOMAIN\Domain Admins
>>>>  (NT_STATUS_ACCESS_DENIED)
>>>>
>>>>  $ net rpc rights grant 'DOMAIN\Unix-admins'
SeDiskOperatorPrivilege
>>>>  -UDOMAIN\\Administrator
>>>>  Enter DOMAIN\Administrator's password:
>>>>  Could not connect to server 127.0.0.1
>>>
>>>
>>>
>>>
>>>  * Is the group "DOMAIN\Domain Admins" local available?
Check with
>>>    # getent group "DOMAIN\Domain Admins"
>>>
>>>  * Is Samba listening on localhost? Check "interfaces"
parameter
>>>    in your smb.conf. Or add "-S servername" to your
"net" command.
>>>
>>>  * Can you post the [global] section of your smb.conf, please?
>>>
>>>
>>>
>>>  Regards,
>>>  Marc
>>
>>

Don't be scared and take the challenge! :-)

Reduce your smb.conf to the minimum as seen in the member server wiki and try it
again. It should work then.

Am 25. M?rz 2015 14:47:16 MEZ, schrieb "Tom S?derlund"
<tom.k.soderlund at gmail.com>:
>Tim,
>
>Thanks for the hint. Usermap for root applied, locally made requests
>fail
>now systematically with
>"Could not connect to server <server address>
>Connection failed: NT_STATUS_LOCK_NOT_GRANTED"
>
>It is kind of improvement :) Random things scare me.
>
>-Tom
>
>
>On Tue, Mar 24, 2015 at 7:40 PM, Tim <lists at kiuni.de> wrote:
>
>> Hi Tom,
>>
>> have a look at this:
>> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
>>
>> I think this could resolve your problem by using a username mapping
>on
>> your member server.
>>
>> Regards
>> Tim
>>
>> Am 24. M?rz 2015 18:34:12 MEZ, schrieb "Tom S?derlund" <
>> tom.k.soderlund at gmail.com>:
>>
>>> Mark,
>>>
>>> Below xxx.yyy. is my network prefix.
>>>
>>> [global]
>>>     workgroup = DOMAIN
>>>     realm = DOMAIN.LOCAL
>>>     server string = Server %v
>>>     security = ADS
>>>     client signing = auto
>>>     client use spnego = yes
>>>     kerberos method = secrets and keytab
>>>     log file = /var/log/samba/log.%m
>>>     log level = 3
>>>     max log size = 50
>>>     load printers = No
>>>     printcap name = /dev/null
>>>     idmap config * : backend = tdb
>>>     hosts allow = 127., xxx.yyy.
>>>     cups options = raw
>>>     vfs objects = acl_xattr
>>>     inherit acls = Yes
>>>     map acl inherit = Yes
>>>     store dos attributes = Yes
>>>     browseable = Yes
>>>
>>> Some trials below, getent for the group succeeds and mostly
>everything is
>>> running fine, I can even log in with domain accounts and set file
>>> permissions that include domain groups and accounts, and with valid
>file
>>> rights MS terminals
>>> can see shares on this server. But giving this
>>> privilege fails with a bit random results.
>>>
>>> [me at server]$ getent group "DOMAIN\Domain Admins"
>>> domain admins:*:978600512:me.user,administrator
>>>
>>> [me at server]$ net rpc rights grant "DOMAIN\Domain
Admins"
>>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server
>>> Enter DOMAIN\Administrator's password:
>>> Could not connect to server server
>>> Connection failed: NT_STATUS_LOCK_NOT_GRANTED
>>>
>>> [me at server]$ net rpc rights grant "DOMAIN\Domain
Admins"
>>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S
>server.domain.local
>>> Enter DOMAIN\Administrator's password:
>>> Failed to grant privileges for DOMAIN\Domain Admins
>>> (NT_STATUS_ACCESS_DENIED)
>>>
>>> [me at server]$ sudo net rpc rights grant "DOMAIN\Domain
Admins"
>>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S
>server.domain.local
>>> [sudo] password for me:
>>> Enter DOMAIN\Administrator's password:
>>> Failed to grant
>>> privileges for DOMAIN\Domain Admins
>>> (NT_STATUS_ACCESS_DENIED)
>>>
>>> -Tom
>>>
>>> On Tue, Mar 24, 2015 at 6:10 PM, Marc Muehlfeld
><mmuehlfeld at samba.org>
>>> wrote:
>>>
>>>  Hello Tom,
>>>>
>>>>  Am 24.03.2015 um 08:49 schrieb Tom S?derlund:
>>>>
>>>>  $ net rpc rights grant 'DOMAIN\Domain Admins'
>SeDiskOperatorPrivilege
>>>>>  -UDOMAIN\\Administrator
>>>>>  Enter DOMAIN\Administrator's password:
>>>>>  Failed to grant privileges for DOMAIN\Domain Admins
>>>>>  (NT_STATUS_ACCESS_DENIED)
>>>>>
>>>>>  $ net rpc rights grant 'DOMAIN\Unix-admins'
>SeDiskOperatorPrivilege
>>>>>  -UDOMAIN\\Administrator
>>>>>  Enter DOMAIN\Administrator's password:
>>>>>  Could not connect to server 127.0.0.1
>>>>
>>>>
>>>>
>>>>
>>>>  * Is the group "DOMAIN\Domain Admins" local
available? Check with
>>>>    # getent group "DOMAIN\Domain Admins"
>>>>
>>>>  * Is Samba listening on localhost? Check
"interfaces" parameter
>>>>    in your smb.conf. Or add "-S servername" to your
"net" command.
>>>>
>>>>  * Can you post the [global] section of your smb.conf, please?
>>>>
>>>>
>>>>
>>>>  Regards,
>>>>  Marc
>>>
>>>

On 25/03/15 19:40, Tim wrote:
> Don't be scared and take the challenge! :-)
>
> Reduce your smb.conf to the minimum as seen in the member server wiki and
try it again. It should work then.
>
> Am 25. M?rz 2015 14:47:16 MEZ, schrieb "Tom S?derlund"
<tom.k.soderlund at gmail.com>:
>> Tim,
>>
>> Thanks for the hint. Usermap for root applied, locally made requests
>> fail
>> now systematically with
>> "Could not connect to server <server address>
>> Connection failed: NT_STATUS_LOCK_NOT_GRANTED"
>>
>> It is kind of improvement :) Random things scare me.
>>
>> -Tom
>>
>>
>> On Tue, Mar 24, 2015 at 7:40 PM, Tim <lists at kiuni.de> wrote:
>>
>>> Hi Tom,
>>>
>>> have a look at this:
>>>
https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
>>>
>>> I think this could resolve your problem by using a username mapping
>> on
>>> your member server.
>>>
>>> Regards
>>> Tim
>>>
>>> Am 24. M?rz 2015 18:34:12 MEZ, schrieb "Tom S?derlund"
<
>>> tom.k.soderlund at gmail.com>:
>>>
>>>> Mark,
>>>>
>>>> Below xxx.yyy. is my network prefix.
>>>>
>>>> [global]
>>>>      workgroup = DOMAIN
>>>>      realm = DOMAIN.LOCAL
>>>>      server string = Server %v
>>>>      security = ADS
>>>>      client signing = auto
>>>>      client use spnego = yes
>>>>      kerberos method = secrets and keytab
>>>>      log file = /var/log/samba/log.%m
>>>>      log level = 3
>>>>      max log size = 50
>>>>      load printers = No
>>>>      printcap name = /dev/null
>>>>      idmap config * : backend = tdb
>>>>      hosts allow = 127., xxx.yyy.
>>>>      cups options = raw
>>>>      vfs objects = acl_xattr
>>>>      inherit acls = Yes
>>>>      map acl inherit = Yes
>>>>      store dos attributes = Yes
>>>>      browseable = Yes
>>>>
>>>> Some trials below, getent for the group succeeds and mostly
>> everything is
>>>> running fine, I can even log in with domain accounts and set
file
>>>> permissions that include domain groups and accounts, and with
valid
>> file
>>>> rights MS terminals
>>>> can see shares on this server. But giving this
>>>> privilege fails with a bit random results.
>>>>
>>>> [me at server]$ getent group "DOMAIN\Domain Admins"
>>>> domain admins:*:978600512:me.user,administrator
>>>>
>>>> [me at server]$ net rpc rights grant "DOMAIN\Domain
Admins"
>>>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S server
>>>> Enter DOMAIN\Administrator's password:
>>>> Could not connect to server server
>>>> Connection failed: NT_STATUS_LOCK_NOT_GRANTED
>>>>
>>>> [me at server]$ net rpc rights grant "DOMAIN\Domain
Admins"
>>>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S
>> server.domain.local
>>>> Enter DOMAIN\Administrator's password:
>>>> Failed to grant privileges for DOMAIN\Domain Admins
>>>> (NT_STATUS_ACCESS_DENIED)
>>>>
>>>> [me at server]$ sudo net rpc rights grant "DOMAIN\Domain
Admins"
>>>> SeDiskOperatorPrivilege -UDOMAIN\\Administrator -S
>> server.domain.local
>>>> [sudo] password for me:
>>>> Enter DOMAIN\Administrator's password:
>>>> Failed to grant
>>>> privileges for DOMAIN\Domain Admins
>>>> (NT_STATUS_ACCESS_DENIED)
>>>>
>>>> -Tom
>>>>
>>>> On Tue, Mar 24, 2015 at 6:10 PM, Marc Muehlfeld
>> <mmuehlfeld at samba.org>
>>>> wrote:
>>>>
>>>>   Hello Tom,
>>>>>   Am 24.03.2015 um 08:49 schrieb Tom S?derlund:
>>>>>
>>>>>   $ net rpc rights grant 'DOMAIN\Domain Admins'
>> SeDiskOperatorPrivilege
>>>>>>   -UDOMAIN\\Administrator
>>>>>>   Enter DOMAIN\Administrator's password:
>>>>>>   Failed to grant privileges for DOMAIN\Domain Admins
>>>>>>   (NT_STATUS_ACCESS_DENIED)
>>>>>>
>>>>>>   $ net rpc rights grant 'DOMAIN\Unix-admins'
>> SeDiskOperatorPrivilege
>>>>>>   -UDOMAIN\\Administrator
>>>>>>   Enter DOMAIN\Administrator's password:
>>>>>>   Could not connect to server 127.0.0.1
>>>>>
>>>>>
>>>>>
>>>>>   * Is the group "DOMAIN\Domain Admins" local
available? Check with
>>>>>     # getent group "DOMAIN\Domain Admins"
>>>>>
>>>>>   * Is Samba listening on localhost? Check
"interfaces" parameter
>>>>>     in your smb.conf. Or add "-S servername" to
your "net" command.
>>>>>
>>>>>   * Can you post the [global] section of your smb.conf,
please?
>>>>>
>>>>>
>>>>>
>>>>>   Regards,
>>>>>   Marc
>>>>
Possibly not, I think the OP is using sssd, it might help if we could 
see the exact command the OP is running and if he is running it as
'root'

Rowland