Discussion:
[Samba] "net rpc rights" commands. Connection always fails
(too old to reply)
Johnson, Eric
2014-07-04 11:50:01 UTC
Permalink
Windows 2012 R2 domain at highest level and one rhel6.5 samba server(3.6)

Been throwing everything at this for the last few days. I can join to the domain and create ACL enabled shares but this one command I am struggling with.

$ net rpc rights grant 'BES\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
Enter administrator's password:
Could not connect to server 127.0.0.1
Connection failed: NT code 0xc0000418
$
Typing nonsense into the username and password gives the same result.

Perhaps a hint is when I (foolishly) did
net rpc -S DOMAIN_CONTROLLER rights grant 'BES\user2' SeMachineAccountPrivilege -Uadministrator
It worked and user2 was given the privilege ON THE domain controller.

Originally I was using sssd/ldap/Kerberos and not winbind, but still had the same error, the machine has been wiped and reinstalled several times
I have used a far more basic smb.conf without winbind and vfs/acl, but this is my current one.

*******
[global]
netbios name = fs6
workgroup = BES
security = ADS
realm = ebs.private.net
encrypt passwords = yes
interfaces = 155.198.41.0/24 127.0.0.1 lo em1
bind interfaces only = yes
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config BES:backend = ad
idmap config BES:schema_mode = rfc2307
idmap config BES:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

I have even done the command from another linux server into the samba server but it to gives the same error
Could not connect to server fs6 <fs6 is the samba server>
Connection failed: NT code 0xc0000418

Netstat shows entries for 127.0.0.1 associated with 139 and 445. Haven't got the actual output, but I could get it.

I would appreciate it if anyone could give me any tests to check basic functionality. I am thinking that it may be to do with groups, but I would expect different types of errors.
ANY basic tests welcome.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2014-07-04 12:20:01 UTC
Permalink
Post by Johnson, Eric
Windows 2012 R2 domain at highest level and one rhel6.5 samba server(3.6)
Been throwing everything at this for the last few days. I can join to the domain and create ACL enabled shares but this one command I am struggling with.
$ net rpc rights grant 'BES\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
Could not connect to server 127.0.0.1
This shows that 'net' was trying to connect to an AD DC on localhost, so
it will not work unless the command is actually run a samba4 AD DC.
Post by Johnson, Eric
Connection failed: NT code 0xc0000418
$
Typing nonsense into the username and password gives the same result.
Perhaps a hint is when I (foolishly) did
net rpc -S DOMAIN_CONTROLLER rights grant 'BES\user2' SeMachineAccountPrivilege -Uadministrator
It worked and user2 was given the privilege ON THE domain controller.
Not so foolish, this is the correct way of running the command on a
machine that is joined to the domain, '-S' or '--server=' is the only
way that 'net' knows which machine to connect to.

Rowland
Post by Johnson, Eric
Originally I was using sssd/ldap/Kerberos and not winbind, but still had the same error, the machine has been wiped and reinstalled several times
I have used a far more basic smb.conf without winbind and vfs/acl, but this is my current one.
*******
[global]
netbios name = fs6
workgroup = BES
security = ADS
realm = ebs.private.net
encrypt passwords = yes
interfaces = 155.198.41.0/24 127.0.0.1 lo em1
bind interfaces only = yes
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config BES:backend = ad
idmap config BES:schema_mode = rfc2307
idmap config BES:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
I have even done the command from another linux server into the samba server but it to gives the same error
Could not connect to server fs6 <fs6 is the samba server>
Connection failed: NT code 0xc0000418
Netstat shows entries for 127.0.0.1 associated with 139 and 445. Haven't got the actual output, but I could get it.
I would appreciate it if anyone could give me any tests to check basic functionality. I am thinking that it may be to do with groups, but I would expect different types of errors.
ANY basic tests welcome.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...