Hello, I built Samba 4.5.4 on a FreeBSD 11.0 machine, and I’m trying to set up an AD DC with a file share. So I did this: - enabled ACLs on my UFS2 filesystem (before compilation) - successfully provisioned (rfc2307, internal DNS) - tested local shares, DNS, Kerberos - adjusted NTPd as suggested in Wiki - added this to the global section of smb.conf: template shell = /usr/sbin/nologin template homedir = /home/%U - changed these lines in /etc/nsswitch.conf: passwd: files winbind group: files winbind - Made a symlink for NSS: ln -s /usr/local/samba/lib/nss_winbind.so.1 /usr/local/lib/nss/ And winbindd seems to work. I can look up domain users: # getent passwd Administrator RW\administrator:*:0:20::/home/administrator:/usr/sbin/nologin And change file ownerships to the domain users: # touch testfile # ll testfile -rw-r--r-- 1 root wheel 0 Jan 28 19:25 testfile # chown user1:"domain users" testfile # ll testfile -rw-r--r-- 1 RW\user1 staff 0 Jan 28 19:25 testfile But when I try to grant Domain Admins a SeDiskOperatorPrivilege, I get this: # net rpc rights grant "RW\Domain Admins" SeDiskOperatorPrivilege -U "RW\administrator" Enter RW\administrator's password: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_UNSUCCESSFUL I found out that other net rpc commands don’t work either, e.g.: # net rpc rights list -U administrator Enter administrator's password: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_UNSUCCESSFUL The rpc service seems to be running: # samba-tool testparm --parameter-name='server services' s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns I tried to map the root user to the domain Administrator but nothing changed. When I raise the log level to 3, the session looks like this: net rpc rights grant "RW\Domain Admins" SeDiskOperatorPrivilege -U "RW\administrator" -d 3 lp_load_ex: refreshing parameters Initialising global parameters Processing section "[global]" Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED lp_load_ex: refreshing parameters Initialising global parameters Processing section "[global]" added interface rl0 ip=192.168.0.192 bcast=192.168.0.255 netmask=255.255.255.0 Enter RW\administrator's password: Connecting to 127.0.0.1 at port 445 Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_UNSUCCESSFUL failed to make ipc connection: NT_STATUS_UNSUCCESSFUL return code = -1 Now, “sockstat -4” shows that smbd listens on port 445, all interfaces/addresses: ... root smbd 2316 47 tcp4 *:445 *:* ... “failed to make ipc connection” has to do with the IPC$ share, right? At least I can’t connect to it: # smbclient //localhost/IPC$ -UAdministrator -c 'ls' Enter Administrator's password: tdb(/usr/local/samba/var/lock/gencache_notrans.tdb): tdb_lock failed on list 129 ltype=3 (Invalid argument) tdb(/usr/local/samba/var/lock/gencache_notrans.tdb): tdb_lock failed on list 113 ltype=3 (Invalid argument) tdb(/usr/local/samba/var/lock/gencache_notrans.tdb): tdb_lock failed on list 113 ltype=3 (Invalid argument) tdb(/usr/local/samba/var/lock/gencache_notrans.tdb): tdb_lock failed on list 113 ltype=3 (Invalid argument) Domain=[RW] OS=[Windows 6.1] Server=[Samba 4.5.4] NT_STATUS_ACCESS_DENIED listing \* # By the way, I don’t receive these tdb_lock failure messages when looking up shares as a regular user. Any ideas why "net rpc" commands don’t work for me? Thanks, Alnis
Hello Alnis, Am 29.01.2017 um 17:27 schrieb Alnis Morics via samba:> But when I try to grant Domain Admins a SeDiskOperatorPrivilege, I get > this: > > # net rpc rights grant "RW\Domain Admins" SeDiskOperatorPrivilege -U > "RW\administrator" > Enter RW\administrator's password: > Could not connect to server 127.0.0.1 > Connection failed: NT_STATUS_UNSUCCESSFULhttps://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#The_net_Command_Fails_to_Connect_to_the_127.0.0.1_IP_Address Regards, Marc
On 01/29/2017 18:41, Marc Muehlfeld wrote:> Hello Alnis, > > Am 29.01.2017 um 17:27 schrieb Alnis Morics via samba: >> But when I try to grant Domain Admins a SeDiskOperatorPrivilege, I get >> this: >> >> # net rpc rights grant "RW\Domain Admins" SeDiskOperatorPrivilege -U >> "RW\administrator" >> Enter RW\administrator's password: >> Could not connect to server 127.0.0.1 >> Connection failed: NT_STATUS_UNSUCCESSFUL > https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#The_net_Command_Fails_to_Connect_to_the_127.0.0.1_IP_Address > > > Regards, > Marc >Thank you, Marc. Yes, I already tried that. The result is: net rpc -I 192.168.0.192 rights list -U administrator Enter administrator's password: Could not connect to server 192.168.0.192 Connection failed: NT_STATUS_UNSUCCESSFUL And, as I told, my smbd is listening on all addresses. And the error message is a bit different: not NT_STATUS_CONNECTION_REFUSED, as in that example, but NT_STATUS_UNSUCCESSFUL -- a generic one. Alnis
>On 01/29/2017 18:41, Marc Muehlfeld wrote:> >> Hello Alnis, >> >> Am 29.01.2017 um 17:27 schrieb Alnis Morics via samba: >>> But when I try to grant Domain Admins a SeDiskOperatorPrivilege, I get >>> this: >>> >>> # net rpc rights grant "RW\Domain Admins" SeDiskOperatorPrivilege -U >>> "RW\administrator" >>> Enter RW\administrator's password: >>> Could not connect to server 127.0.0.1 >>> Connection failed: NT_STATUS_UNSUCCESSFUL >> https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#The_net_Command_Fails_to_Connect_to_the_127.0.0.1_IP_Address >> >> >> Regards, >> Marc >> >Thank you, Marc. > >Yes, I already tried that. The result is: > >net rpc -I 192.168.0.192 rights list -U administrator >Enter administrator's password: >Could not connect to server 192.168.0.192 >Connection failed: NT_STATUS_UNSUCCESSFUL > >And, as I told, my smbd is listening on all addresses. And the error >message is a bit different: not NT_STATUS_CONNECTION_REFUSED, as in that >example, but NT_STATUS_UNSUCCESSFUL -- a generic one. > >Alnis Ok, if I raise the log level to 10, I get 7 more lines at the end: ... Could not connect to server 192.168.0.192 Connection failed: NT_STATUS_UNSUCCESSFUL failed to make ipc connection: NT_STATUS_UNSUCCESSFUL return code = -1 Opening cache file at /usr/local/samba/var/cache/gencache.tdb Opening cache file at /usr/local/samba/var/lock/gencache_notrans.tdb tdb(/usr/local/samba/var/lock/gencache_notrans.tdb): allrecord_mutex_lock() failed: Invalid argument Could not get allrecord lock on gencache_notrans.tdb: Locking error Freeing parametrics: # Alnis
> >On 01/29/2017 18:41, Marc Muehlfeld wrote:> > > >> Hello Alnis, > >> > >> Am 29.01.2017 um 17:27 schrieb Alnis Morics via samba: > >>> But when I try to grant Domain Admins a SeDiskOperatorPrivilege, I get > >>> this: > >>> > >>> # net rpc rights grant "RW\Domain Admins" SeDiskOperatorPrivilege -U > >>> "RW\administrator" > >>> Enter RW\administrator's password: > >>> Could not connect to server 127.0.0.1 > >>> Connection failed: NT_STATUS_UNSUCCESSFUL > >> https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#The_net_Command_Fails_to_Connect_to_the_127.0.0.1_IP_Address > >> > >> > >> Regards, > >> Marc > >> > >Thank you, Marc. > > > >Yes, I already tried that. The result is: > > > >net rpc -I 192.168.0.192 rights list -U administrator > >Enter administrator's password: > >Could not connect to server 192.168.0.192 > >Connection failed: NT_STATUS_UNSUCCESSFUL > > > >And, as I told, my smbd is listening on all addresses. And the error > >message is a bit different: not NT_STATUS_CONNECTION_REFUSED, as in that > >example, but NT_STATUS_UNSUCCESSFUL -- a generic one. > > > >Alnis > >Ok, if I raise the log level to 10, I get 7 more lines at the end: >... >Could not connect to server 192.168.0.192 >Connection failed: NT_STATUS_UNSUCCESSFUL >failed to make ipc connection: NT_STATUS_UNSUCCESSFUL >return code = -1 >Opening cache file at /usr/local/samba/var/cache/gencache.tdb >Opening cache file at /usr/local/samba/var/lock/gencache_notrans.tdb >tdb(/usr/local/samba/var/lock/gencache_notrans.tdb): >allrecord_mutex_lock() failed: Invalid argument >Could not get allrecord lock on gencache_notrans.tdb: Locking error >Freeing parametrics: ># > >Alnis "allrecord_mutex_lock() failed: Invalid argument" looks like a C interpretator's complaint. I thought maybe there's a conflict between gcc and Clang of FreeBSD's base system. So I removed gcc and recompiled Samba. But no, the errors are exactly the same. I also have another FreeBSD machine (10.3) where some months ago I built Samba 4.4.5 ADDC, and there "net rpc" commands work. Alnis
>> >On 01/29/2017 18:41, Marc Muehlfeld wrote:>> > >> >> Hello Alnis, >> >> >> >> Am 29.01.2017 um 17:27 schrieb Alnis Morics via samba: >> >>> But when I try to grant Domain Admins a SeDiskOperatorPrivilege, I get >> >>> this: >> >>> >> >>> # net rpc rights grant "RW\Domain Admins" SeDiskOperatorPrivilege -U >> >>> "RW\administrator" >> >>> Enter RW\administrator's password: >> >>> Could not connect to server 127.0.0.1 >> >>> Connection failed: NT_STATUS_UNSUCCESSFUL >> >> https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#The_net_Command_Fails_to_Connect_to_the_127.0.0.1_IP_Address >> >> >> >> >> >> Regards, >> >> Marc >> >> >> >Thank you, Marc. >> > >> >Yes, I already tried that. The result is: >> > >> >net rpc -I 192.168.0.192 rights list -U administrator >> >Enter administrator's password: >> >Could not connect to server 192.168.0.192 >> >Connection failed: NT_STATUS_UNSUCCESSFUL >> > >> >And, as I told, my smbd is listening on all addresses. And the error >> >message is a bit different: not NT_STATUS_CONNECTION_REFUSED, as in that >> >example, but NT_STATUS_UNSUCCESSFUL -- a generic one. >> > >> >Alnis >> >>Ok, if I raise the log level to 10, I get 7 more lines at the end: >>... >>Could not connect to server 192.168.0.192 >>Connection failed: NT_STATUS_UNSUCCESSFUL >>failed to make ipc connection: NT_STATUS_UNSUCCESSFUL >>return code = -1 >>Opening cache file at /usr/local/samba/var/cache/gencache.tdb >>Opening cache file at /usr/local/samba/var/lock/gencache_notrans.tdb >>tdb(/usr/local/samba/var/lock/gencache_notrans.tdb): >>allrecord_mutex_lock() failed: Invalid argument >>Could not get allrecord lock on gencache_notrans.tdb: Locking error >>Freeing parametrics: >># >> >>Alnis > >"allrecord_mutex_lock() failed: Invalid argument" looks like a C interpretator's complaint. I thought maybe there's a conflict between gcc and Clang of FreeBSD's base system. So I removed gcc and recompiled Samba. But no, the errors are exactly the same. > >I also have another FreeBSD machine (10.3) where some months ago I built Samba 4.4.5 ADDC, and there "net rpc" commands work. > >Alnis One more try. I took Samba 4.4.9 tarball, built it, and now "net rpc" commands work as expected, e.g.: # net rpc rights list -U administrator Enter administrator's password: SeMachineAccountPrivilege Add machines to domain SeTakeOwnershipPrivilege Take ownership of files or other objects SeBackupPrivilege Back up files and directories SeRestorePrivilege Restore files and directories SeRemoteShutdownPrivilege Force shutdown from a remote system SePrintOperatorPrivilege Manage printers SeAddUsersPrivilege Add users and groups to the domain SeDiskOperatorPrivilege Manage disk shares SeSecurityPrivilege System security SeSystemtimePrivilege Set the system clock SeShutdownPrivilege Shutdown the system SeDebugPrivilege Debug processes SeSystemEnvironmentPrivilege Modify system environment SeSystemProfilePrivilege Profile the system SeProfileSingleProcessPrivilege Profile one process SeIncreaseBasePriorityPrivilege Increase base priority SeLoadDriverPrivilege Load drivers SeCreatePagefilePrivilege Create page files SeIncreaseQuotaPrivilege Increase quota SeChangeNotifyPrivilege Register for change notify SeUndockPrivilege Undock devices SeManageVolumePrivilege Manage system volumes SeImpersonatePrivilege Impersonate users SeCreateGlobalPrivilege Create global SeEnableDelegationPrivilege Enable Delegation Appears that 4.5.X introduce something that FreeBSD doesn't like, but ok. I now proceeded with 4.4.9 to joining Windows clients and stopped at another problem, but that's a separate topic. Alnis
Reasonably Related Threads
- "net rpc" commands don’t work on Samba AD DC
- Regular users can't log in to Samba AD DC from Windows
- Regular users can't log in to Samba AD DC from Windows
- Regular users can't log in to Samba AD DC from Windows
- Regular users can't log in to Samba AD DC from Windows