[Samba] Why would "net rpc rights grant" fail ?

L.P.H. van Belle belle at bazuin.nl
Fri Apr 11 07:29:49 MDT 2014 

Hai, 


The base is always Administrator, this is because of the user mapping root = ... see below.. 
I'll go modify the script for that. Can you tell which server/script this is ? 

Can you try to run it like this. 

net rpc rights grant YOURDOMAIN\\AdminKoen SeDiskOperatorPrivilege -UAdministrator 
( -U administrator is needed to make it work, its used to authenticate to you can set the privileges.   ) 

And for full admin rights, add the all the SEPrivileges to AdminKoen. 
when you run it outside the script you can also kinit Administrator first. 

also check if the file in /etc/samba/samba_usermapping exist. 
!root = YOURDOMAIN\Administrator YOURDOMAIN\administrator

If you want to have AdminKoen run as "root" , wel there is only 1 root ( Administrator ) 
then you can change it in the samba_usermapping file. 

im guessing you have this problem on the member server? that was also the hard one to get working.

Adding a windows 7 pc ( dutch ) should not be any problem, i joined 32bit and 64bit. 
but i did use the user  DOMAIN\Administrator for the join. 
Adminsitrator on the pc is disabled. 

So if in look at your problem.
Your you trying to get AdminKoen to be "root" or just a extra domain admin. 
if only as extra domain admin, the adding him to "domain admin" should be sufficient. 
and do not disable Administrator.. samba uses it also in the back ground 
see the /var/lib/samba/private/named.conf.update 

Can you try again and report back? 


Best regards, 

Louis


>-----Oorspronkelijk bericht-----
>Van: samba.k.lelong at ace-electronics.be 
>[mailto:samba-bounces at lists.samba.org] Namens Koenraad Lelong
>Verzonden: vrijdag 11 april 2014 15:08
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Why would "net rpc rights grant" fail ?
>
>Hi,
>
>Me again, still trying to migrate my samba3-server.
>
>Using the script op L.P.H. van Belle, there is one failure :
>net rpc rights grant ${SETNTDOM}\\"Domain Admins" 
>SeDiskOperatorPrivilege -U${SETNTUSER}
>
>This is the result :
>==========SE Privileges ===============================
>Giving group Domain Admins the SeDiskOperatorPrivilege rights.
>Enter Admikoen's password:
>Could not connect to server 127.0.0.1
>Connection failed: NT_STATUS_INVALID_NETWORK_RESPONSE
>
>In my script, just after starting samba I added AdmiKoen to 
>the "Domain 
>Admins". The Kerberos-tests work OK, SE privileges fails (see above), 
>testing DNS-records is OK, adding reverse zones is also OK.
>
>I tried to add a Win7-PC, but that fails also, but I don't 
>know if it's 
>related to the SE privileges fail.
>This is what I get on the Win7-PC (translated from dutch) : The given 
>server can't execute the requested operation.
>
>So the question is : where do I look to detect what's going wrong ?
>
>Thanks for any pointers.
>
>P.S. the Kerberos test outputs : Etype (skey, tkt): arcfour-hmac, 
>arcfour-hmac
>while the "provision" version outputs : Etype (skey, tkt): 
>aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>Is this related to the failure ?
>
>Regards,
>
>Koenraad.
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list