On 30/04/15 09:05, Sebastian Gabler wrote:> There is something to add. Listing existing rights (any rights that > is, thus using the current, root, user) fails with the same problem: > > # net rpc rights list > Enter root's password: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > I conclude of that net cannot authenticate at all for this purpose, > and the first step would be to solve that. The question is: How? > > Br > > Sebastian > > Am 29.04.2015 um 14:10 schrieb Sebastian Gabler: >> Am 29.04.2015 um 12:58 schrieb L.P.H. van Belle: >>> so tell us what are your errors? >>> >>> It's hard to help without them. >>> Please post your smb.conf ( sanitized ) and your resolv.conf and >>> hosts file. >>> and.. >>> you can try the command : >>> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege >>> -U'SAMDOM\administrator' -S servername.fqdn >>> >>> greetz, >>> >>> Louis >> I am getting the error listed here: >> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting: >> >> # net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege >> -U'SAMDOM\administrator' >> Enter SAMDOM\administrator's password: >> Could not connect to server 127.0.0.1 >> The username or password was not correct. >> Connection failed: NT_STATUS_LOGON_FAILURE >> >> resolv.conf is automatically filled by Network Manager here (which >> gets the settings from the DHCP server, which is the DC in my case) >> hosts has no entries besides the localhost defaults for 'lo' >> hostname returns the fqdn DNS resolsution and ntp sync are perefectly >> fine. Domain users can log on, and get homes. (I don't care about >> that too much, but it's nice to see it working.) >> >> This is the testparm dump, with '#' comments: >> >> [global] >> realm = MYDOMAIN.LOCAL # here is the actual realm value >> server string = Samba Server Version %v >> security = ADS >> username map = /etc/samba/user.map >> kerberos method = system keytab >> log file = /var/log/samba/log.%m >> max log size = 50 >> load printers = No >> printcap name = /dev/null >> idmap config * : backend = tdb >> map acl inherit = Yes >> cups options = raw >> vfs objects = acl_xattr >> >> [Acls] # this is my test share >> path = /srv/samba/acls/ >> read only = No >> Looking at these, it comes to my attention that there is no idmap on >> that machine (I mean, not as a deamon, not as a command). Could that >> be part of the problem? >> in the -S option above, does servername.fqdn refer to the DC or to >> the local machine? >> Also, was puzzled if the PW to enter is the root PW or the Domain >> Amdin PW. I tried both, always. >> >> Best, >> Sebastian >You need to map root to Administrator, add this line to smb.conf: username map = /etc/samba/user.map Then create the map file, it is just one line: !root = EXAMPLE\Administrator Administrator administrator Change 'EXAMPLE' for your workgroup name. Rowland
On 12:29:52 wrote Rowland Penny:> You need to map root to Administrator, add this line to smb.conf: > username map = /etc/samba/user.map > > Then create the map file, it is just one line: > > !root = EXAMPLE\Administrator Administrator administratorSimply wrong! This maps the windows users to the unix user root.> Change 'EXAMPLE' for your workgroup name. > > Rowland-- Regards Harry Jede
On 30/04/15 11:32, Harry Jede wrote:> On 12:29:52 wrote Rowland Penny: >> You need to map root to Administrator, add this line to smb.conf: >> username map = /etc/samba/user.map >> >> Then create the map file, it is just one line: >> >> !root = EXAMPLE\Administrator Administrator administrator > Simply wrong! This maps the windows users to the unix user root. > >> Change 'EXAMPLE' for your workgroup name. >> >> Rowland >If it is 'Simply wrong', why can I run the same command that the OP used and expect it to work, but if I don't have the line in smb.conf, I get the result the OP did. Rowland
Am 30.04.2015 um 10:13 schrieb Rowland Penny:> On 30/04/15 09:05, Sebastian Gabler wrote: >> There is something to add. Listing existing rights (any rights that >> is, thus using the current, root, user) fails with the same problem: >> >> # net rpc rights list >> Enter root's password: >> Could not connect to server 127.0.0.1 >> The username or password was not correct. >> Connection failed: NT_STATUS_LOGON_FAILURE >> >> I conclude of that net cannot authenticate at all for this purpose, >> and the first step would be to solve that. The question is: How? >> >> Br >> >> Sebastian >> >> Am 29.04.2015 um 14:10 schrieb Sebastian Gabler: >>> Am 29.04.2015 um 12:58 schrieb L.P.H. van Belle: >>>> so tell us what are your errors? >>>> >>>> It's hard to help without them. >>>> Please post your smb.conf ( sanitized ) and your resolv.conf and >>>> hosts file. >>>> and.. >>>> you can try the command : >>>> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege >>>> -U'SAMDOM\administrator' -S servername.fqdn >>>> >>>> greetz, >>>> >>>> Louis >>> I am getting the error listed here: >>> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting: >>> >>> # net rpc rights grant 'SAMDOM\Domain Admins' >>> SeDiskOperatorPrivilege -U'SAMDOM\administrator' >>> Enter SAMDOM\administrator's password: >>> Could not connect to server 127.0.0.1 >>> The username or password was not correct. >>> Connection failed: NT_STATUS_LOGON_FAILURE >>> >>> resolv.conf is automatically filled by Network Manager here (which >>> gets the settings from the DHCP server, which is the DC in my case) >>> hosts has no entries besides the localhost defaults for 'lo' >>> hostname returns the fqdn DNS resolsution and ntp sync are >>> perefectly fine. Domain users can log on, and get homes. (I don't >>> care about that too much, but it's nice to see it working.) >>> >>> This is the testparm dump, with '#' comments: >>> >>> [global] >>> realm = MYDOMAIN.LOCAL # here is the actual realm value >>> server string = Samba Server Version %v >>> security = ADS >>> username map = /etc/samba/user.map >>> kerberos method = system keytab >>> log file = /var/log/samba/log.%m >>> max log size = 50 >>> load printers = No >>> printcap name = /dev/null >>> idmap config * : backend = tdb >>> map acl inherit = Yes >>> cups options = raw >>> vfs objects = acl_xattr >>> >>> [Acls] # this is my test share >>> path = /srv/samba/acls/ >>> read only = No >>> Looking at these, it comes to my attention that there is no idmap on >>> that machine (I mean, not as a deamon, not as a command). Could that >>> be part of the problem? >>> in the -S option above, does servername.fqdn refer to the DC or to >>> the local machine? >>> Also, was puzzled if the PW to enter is the root PW or the Domain >>> Amdin PW. I tried both, always. >>> >>> Best, >>> Sebastian >> > > You need to map root to Administrator, add this line to smb.conf: > username map = /etc/samba/user.map > > Then create the map file, it is just one line: > > !root = EXAMPLE\Administrator Administrator administrator > > Change 'EXAMPLE' for your workgroup name. > > Rowland > >Thanks for the hints. You may want to note that 'username map' is already in my conf, line 4 from the top of the global section. Content of the map file is "!root = administrator at mydomain.local Administrator administrator" . The syntax for the domain admin user follows the one suggested by realmd, that is user at domain.local. That is, to my understanding I already did what you suggest, and said so in my original message. Not sure about 3 things: 1. why would authentication of net rpc fail against the local root user on the local machine? Why does it even ask for the pasword anyhow when I run it as root? That is, irrespective of any user maps, not making any sense to me. 2. Where does the 'Workgroup\Administrator syntax you are suggesting coming from? I am joined to a domain - how would this matter? 3. Not sure I mentioned it earlier, but: I can indeed change Ownership of folders, ACLs and permissions from Windows as Domain Admin. What doesn't work is creating new shares from Computer Administration console, and change share ownership to other users from there. Best regards, Sebastian
Am 30.04.2015 um 12:32 schrieb Harry Jede:> On 12:29:52 wrote Rowland Penny: >> You need to map root to Administrator, add this line to smb.conf: >> username map = /etc/samba/user.map >> >> Then create the map file, it is just one line: >> >> !root = EXAMPLE\Administrator Administrator administrator > Simply wrong! This maps the windows users to the unix user root. > >Not sure, but wasn't that what it should do? (Even if I stated that it doesn't have the intended outcome for me...) Do you have any other idea how to make the original problem work? Help is still welcome. Br Sebastian
Am 30.04.2015 um 18:23 schrieb Sebastian Gabler:> Am 30.04.2015 um 10:13 schrieb Rowland Penny: >> On 30/04/15 09:05, Sebastian Gabler wrote: >>> There is something to add. Listing existing rights (any rights that >>> is, thus using the current, root, user) fails with the same problem: >>> >>> # net rpc rights list >>> Enter root's password: >>> Could not connect to server 127.0.0.1 >>> The username or password was not correct. >>> Connection failed: NT_STATUS_LOGON_FAILURE >>> >>> I conclude of that net cannot authenticate at all for this purpose, >>> and the first step would be to solve that. The question is: How? >>> >>> Br >>> >>> Sebastian >>> >>> Am 29.04.2015 um 14:10 schrieb Sebastian Gabler: >>>> Am 29.04.2015 um 12:58 schrieb L.P.H. van Belle: >>>>> so tell us what are your errors? >>>>> >>>>> It's hard to help without them. >>>>> Please post your smb.conf ( sanitized ) and your resolv.conf and >>>>> hosts file. >>>>> and.. >>>>> you can try the command : >>>>> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege >>>>> -U'SAMDOM\administrator' -S servername.fqdn >>>>> >>>>> greetz, >>>>> >>>>> Louis >>>> I am getting the error listed here: >>>> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting: >>>> >>>> # net rpc rights grant 'SAMDOM\Domain Admins' >>>> SeDiskOperatorPrivilege -U'SAMDOM\administrator' >>>> Enter SAMDOM\administrator's password: >>>> Could not connect to server 127.0.0.1 >>>> The username or password was not correct. >>>> Connection failed: NT_STATUS_LOGON_FAILURE >>>> >>>> resolv.conf is automatically filled by Network Manager here (which >>>> gets the settings from the DHCP server, which is the DC in my case) >>>> hosts has no entries besides the localhost defaults for 'lo' >>>> hostname returns the fqdn DNS resolsution and ntp sync are >>>> perefectly fine. Domain users can log on, and get homes. (I don't >>>> care about that too much, but it's nice to see it working.) >>>> >>>> This is the testparm dump, with '#' comments: >>>> >>>> [global] >>>> realm = MYDOMAIN.LOCAL # here is the actual realm value >>>> server string = Samba Server Version %v >>>> security = ADS >>>> username map = /etc/samba/user.map >>>> kerberos method = system keytab >>>> log file = /var/log/samba/log.%m >>>> max log size = 50 >>>> load printers = No >>>> printcap name = /dev/null >>>> idmap config * : backend = tdb >>>> map acl inherit = Yes >>>> cups options = raw >>>> vfs objects = acl_xattr >>>> >>>> [Acls] # this is my test share >>>> path = /srv/samba/acls/ >>>> read only = No >>>> Looking at these, it comes to my attention that there is no idmap on >>>> that machine (I mean, not as a deamon, not as a command). Could that >>>> be part of the problem? >>>> in the -S option above, does servername.fqdn refer to the DC or to >>>> the local machine? >>>> Also, was puzzled if the PW to enter is the root PW or the Domain >>>> Amdin PW. I tried both, always. >>>> >>>> Best, >>>> Sebastian >>> >> >> You need to map root to Administrator, add this line to smb.conf: >> username map = /etc/samba/user.map >> >> Then create the map file, it is just one line: >> >> !root = EXAMPLE\Administrator Administrator administrator >> >> Change 'EXAMPLE' for your workgroup name. >> >> Rowland >> >> > Thanks for the hints. > > You may want to note that 'username map' is already in my conf, line 4 > from the top of the global section. Content of the map file is "!root > administrator at mydomain.local Administrator administrator" . The syntax > for the domain admin user follows the one suggested by realmd, that is > user at domain.local. > > That is, to my understanding I already did what you suggest, and said so > in my original message. > > Not sure about 3 things: > > 1. why would authentication of net rpc fail against the local root user > on the local machine? Why does it even ask for the pasword anyhow when I > run it as root? That is, irrespective of any user maps, not making any > sense to me. > 2. Where does the 'Workgroup\Administrator syntax you are suggesting > coming from? I am joined to a domain - how would this matter? > 3. Not sure I mentioned it earlier, but: I can indeed change Ownership > of folders, ACLs and permissions from Windows as Domain Admin. What > doesn't work is creating new shares from Computer Administration > console, and change share ownership to other users from there. > > Best regards, > > Sebastian >Solved. What was missing was the workgroup directive. My mistake. It's mentioned here: https://wiki.samba.org/index.php /Setup_a_Samba_AD_Member_Server Wrong hint: - '-S' option. The privilege is set on the local member machine, not remote. Thus, the password of SAMDOM\Administrator is the mapped (root) pw. Thanks anyways for the hints. Sebastian
Hai,>thus, the password of SAMDOM\Administrator is the >mapped (root) pw.No, not correct. root has its password. Administrator has it own password, even when mapped these are different. these users just share the same uid 0 ! test with kinit Administrator at YOUR.REALM.TLD and have a look here. http://funwithlinux.net/2014/04/join-ubuntu-14-04-to-active-directory-domain-using-realmd/ make sure your /etc/hosts does NOT contain something like : 127.0.0.1 dc1.server.tld dc1 but 127.0.0.1 localhost localhost.localdomain and only the real server ip with hostname in hosts as extra info : Avoid a lot of the problems can be resolved by adding this section (in addition to disabling automatic-install) in /etc/realmd.conf: [my.domain.fqdn.here] fully-qualified-names = no Then I do: kinit myuser at MY.DOMAIN.FQDN.HERE and: realm join my.domain.fqdn.here optional if you cant join install package : packagekit and this all said, if all of above works, and you did join the AD and your resolving is correct, then net rpc rights list should work fine. if not, wel, then i dont know., i dont use sssd and realmd. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: sequoiamobil at gmx.net >[mailto:samba-bounces at lists.samba.org] Namens Sebastian Gabler >Verzonden: vrijdag 1 mei 2015 0:22 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] realmd and net rpc privileges > > > >Am 30.04.2015 um 18:23 schrieb Sebastian Gabler: >> Am 30.04.2015 um 10:13 schrieb Rowland Penny: >>> On 30/04/15 09:05, Sebastian Gabler wrote: >>>> There is something to add. Listing existing rights (any rights that >>>> is, thus using the current, root, user) fails with the >same problem: >>>> >>>> # net rpc rights list >>>> Enter root's password: >>>> Could not connect to server 127.0.0.1 >>>> The username or password was not correct. >>>> Connection failed: NT_STATUS_LOGON_FAILURE >>>> >>>> I conclude of that net cannot authenticate at all for this purpose, >>>> and the first step would be to solve that. The question is: How? >>>> >>>> Br >>>> >>>> Sebastian >>>> >>>> Am 29.04.2015 um 14:10 schrieb Sebastian Gabler: >>>>> Am 29.04.2015 um 12:58 schrieb L.P.H. van Belle: >>>>>> so tell us what are your errors? >>>>>> >>>>>> It's hard to help without them. >>>>>> Please post your smb.conf ( sanitized ) and your resolv.conf and >>>>>> hosts file. >>>>>> and.. >>>>>> you can try the command : >>>>>> net rpc rights grant 'SAMDOM\Domain Admins' >SeDiskOperatorPrivilege >>>>>> -U'SAMDOM\administrator' -S servername.fqdn >>>>>> >>>>>> greetz, >>>>>> >>>>>> Louis >>>>> I am getting the error listed here: >>>>> >https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting: >>>>> >>>>> # net rpc rights grant 'SAMDOM\Domain Admins' >>>>> SeDiskOperatorPrivilege -U'SAMDOM\administrator' >>>>> Enter SAMDOM\administrator's password: >>>>> Could not connect to server 127.0.0.1 >>>>> The username or password was not correct. >>>>> Connection failed: NT_STATUS_LOGON_FAILURE >>>>> >>>>> resolv.conf is automatically filled by Network Manager here (which >>>>> gets the settings from the DHCP server, which is the DC >in my case) >>>>> hosts has no entries besides the localhost defaults for 'lo' >>>>> hostname returns the fqdn DNS resolsution and ntp sync are >>>>> perefectly fine. Domain users can log on, and get homes. (I don't >>>>> care about that too much, but it's nice to see it working.) >>>>> >>>>> This is the testparm dump, with '#' comments: >>>>> >>>>> [global] >>>>> realm = MYDOMAIN.LOCAL # here is the actual realm value >>>>> server string = Samba Server Version %v >>>>> security = ADS >>>>> username map = /etc/samba/user.map >>>>> kerberos method = system keytab >>>>> log file = /var/log/samba/log.%m >>>>> max log size = 50 >>>>> load printers = No >>>>> printcap name = /dev/null >>>>> idmap config * : backend = tdb >>>>> map acl inherit = Yes >>>>> cups options = raw >>>>> vfs objects = acl_xattr >>>>> >>>>> [Acls] # this is my test share >>>>> path = /srv/samba/acls/ >>>>> read only = No >>>>> Looking at these, it comes to my attention that there is >no idmap on >>>>> that machine (I mean, not as a deamon, not as a command). >Could that >>>>> be part of the problem? >>>>> in the -S option above, does servername.fqdn refer to the DC or to >>>>> the local machine? >>>>> Also, was puzzled if the PW to enter is the root PW or the Domain >>>>> Amdin PW. I tried both, always. >>>>> >>>>> Best, >>>>> Sebastian >>>> >>> >>> You need to map root to Administrator, add this line to smb.conf: >>> username map = /etc/samba/user.map >>> >>> Then create the map file, it is just one line: >>> >>> !root = EXAMPLE\Administrator Administrator administrator >>> >>> Change 'EXAMPLE' for your workgroup name. >>> >>> Rowland >>> >>> >> Thanks for the hints. >> >> You may want to note that 'username map' is already in my >conf, line 4 >> from the top of the global section. Content of the map file >is "!root >> administrator at mydomain.local Administrator administrator" . >The syntax >> for the domain admin user follows the one suggested by >realmd, that is >> user at domain.local. >> >> That is, to my understanding I already did what you suggest, >and said so >> in my original message. >> >> Not sure about 3 things: >> >> 1. why would authentication of net rpc fail against the >local root user >> on the local machine? Why does it even ask for the pasword >anyhow when I >> run it as root? That is, irrespective of any user maps, not >making any >> sense to me. >> 2. Where does the 'Workgroup\Administrator syntax you are suggesting >> coming from? I am joined to a domain - how would this matter? >> 3. Not sure I mentioned it earlier, but: I can indeed change >Ownership >> of folders, ACLs and permissions from Windows as Domain Admin. What >> doesn't work is creating new shares from Computer Administration >> console, and change share ownership to other users from there. >> >> Best regards, >> >> Sebastian >> >Solved. What was missing was the workgroup directive. My mistake. It's >mentioned here: https://wiki.samba.org/index.php >/Setup_a_Samba_AD_Member_Server > >Wrong hint: >- '-S' option. The privilege is set on the local member machine, not >remote. Thus, the password of SAMDOM\Administrator is the >mapped (root) pw. > >Thanks anyways for the hints. > >Sebastian > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >