[Samba] Why would "net rpc rights grant" fail ?

Rowland Penny rowlandpenny at googlemail.com
Mon Apr 14 08:27:44 MDT 2014 

On 14/04/14 15:01, Koenraad Lelong wrote:
> op 14-04-14 12:00, L.P.H. van Belle schreef:
>> Ok,
>>
>> first you have the latest script, so thats ok.
>> If only the Privileges go wrong atm then thats a "root/Administrator" 
>> thingy.
>>
>> but.. if its only the Privileges ( on the dc) , i would say, continue 
>> with the upgrade first.
>> and when its all done, stop samba and bind
>> backup /var/cache/bind  /var/cache/samba /var/lib/samba /etc/samba
>> start up again and.. im guessing big time, so just try ...
>>
>> net rpc rights grant YOURDOMAIN\\"Domain Admins" 
>> SeDiskOperatorPrivilege -UAdministrator
>> net rpc rights grant YOURDOMAIN\\"Domain Admins" 
>> SeDiskOperatorPrivilege -UYOURDOMAIN\\Administrator
>> net rpc rights grant YOURDOMAIN\\"Domain Admins" 
>> SeDiskOperatorPrivilege -UYOURDOMAIN\\Adminkoen
>> net rpc rights grant YOURDOMAIN\\"Domain Admins" 
>> SeDiskOperatorPrivilege -UAdminkoen
>> net rpc rights grant YOURDOMAIN\\"Domain Admins" 
>> SeDiskOperatorPrivilege -Uroot
>>
>> and something as : ( /etc/samba/smb.conf )
>> username map = /etc/samba/samba_usermapping
>>
>> !root = YOURDOMAIN\Administrator YOURDOMAIN\administrator
>>
>>
>> Best regards,
>>
>> Louis
>>
> Hi,
>
> I tried some combinations, but none work. I did set the log level to 1 
> and I get this in log.samba :
>
> [2014/04/14 15:46:43.274413,  1] 
> ../source4/winbind/idmap.c:831(idmap_sids_to_xids)
>   idmapping sid_to_xid failed for 
> id[2]=S-1-5-21-177555115-702490737-1861429907-520: NT_STATUS_NONE_MAPPED
> [2014/04/14 15:46:43.275186,  1] 
> ../source4/winbind/idmap.c:831(idmap_sids_to_xids)
>   idmapping sid_to_xid failed for 
> id[3]=S-1-5-21-177555115-702490737-1861429907-572: NT_STATUS_NONE_MAPPED
> [2014/04/14 15:46:43.275769,  1] 
> ../source4/winbind/idmap.c:831(idmap_sids_to_xids)
>   idmapping sid_to_xid failed for 
> id[4]=S-1-5-21-177555115-702490737-1861429907-519: NT_STATUS_NONE_MAPPED
> [2014/04/14 15:46:43.276372,  1] 
> ../source4/winbind/idmap.c:831(idmap_sids_to_xids)
>   idmapping sid_to_xid failed for 
> id[5]=S-1-5-21-177555115-702490737-1861429907-518: NT_STATUS_NONE_MAPPED
> [2014/04/14 15:46:43.277049,  1] 
> ../source4/winbind/idmap.c:831(idmap_sids_to_xids)
>   idmapping sid_to_xid failed for id[7]=S-1-1-0: NT_STATUS_NONE_MAPPED
> [2014/04/14 15:46:43.277547,  1] 
> ../source4/winbind/idmap.c:831(idmap_sids_to_xids)
>   idmapping sid_to_xid failed for id[8]=S-1-5-2: NT_STATUS_NONE_MAPPED
> [2014/04/14 15:46:43.278062,  1] 
> ../source4/winbind/idmap.c:831(idmap_sids_to_xids)
>   idmapping sid_to_xid failed for id[9]=S-1-5-11: NT_STATUS_NONE_MAPPED
> [2014/04/14 15:46:43.278886,  1] 
> ../source4/winbind/idmap.c:831(idmap_sids_to_xids)
>   idmapping sid_to_xid failed for id[12]=S-1-5-32-554: 
> NT_STATUS_NONE_MAPPED
>
> Does this mean anything ? In the mailinglist I found someone that 
> has/had the same problem (see : samba4 classicupgrade problem 
> idmapping sid_to_xid failed on 28 feb 2014).
>
> ldbsearch -H /var/lib/samba/private/idmap.ldb -a
> # record 1
> dn: CN=S-1-5-21-177555115-702490737-1861429907-500
> cn: S-1-5-21-177555115-702490737-1861429907-500
> objectClass: sidMap
> objectSid: S-1-5-21-177555115-702490737-1861429907-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-177555115-702490737-1861429907-500
>
> # record 2
> dn: CN=CONFIG
> cn: CONFIG
> upperBound: 4000000
> lowerBound: None
> xidNumber: None
> distinguishedName: CN=CONFIG
>
> # record 3
> dn: CN=S-1-5-7
> cn: S-1-5-7
> objectClass: sidMap
> objectSid: S-1-5-7
> type: ID_TYPE_UID
> xidNumber: 65534
> distinguishedName: CN=S-1-5-7
>
> # record 4
> dn: CN=S-1-5-21-177555115-702490737-1861429907-513
> cn: S-1-5-21-177555115-702490737-1861429907-513
> objectClass: sidMap
> objectSid: S-1-5-21-177555115-702490737-1861429907-513
> type: ID_TYPE_GID
> xidNumber: 100
> distinguishedName: CN=S-1-5-21-177555115-702490737-1861429907-513
>
> # returned 4 records
> # 4 entries
> # 0 referrals
>
> Is this OK ?

Well NO, you seem to have about 22 records missing, this is not counting 
any users and groups you should have, this could have something to do 
with the .tdb records you copied to the server, but you need to answer 
my earlier email before we can try and track down your problems.

Rowland
>
> Koenraad

More information about the samba mailing list