[Samba] RPC, DCOM, 1745 and Other Errors

Thomas Mulkey tmulkey at incentafcu.org
Mon Sep 29 14:52:42 MDT 2014 

It is fixed!

I put the samba daemon in interactive mode with a debug level of 10 (./smbd -i -d10) and tried to connect to the share and this is what I get.  It appears as if it is not understanding the domain administrator as a valid user. 

Kerberos ticket principal name is [administrator at INCENTA.LOCAL]
Domain is [INCENTA] (using PAC)
Finding user INCENTA\administrator
Trying _Get_Pwnam(), username as lowercase is incenta\administrator
Trying _Get_Pwnam(), username as given is INCENTA\administrator
Trying _Get_Pwnam(), username as uppercase is INCENTA\ADMINISTRATOR
Checking combinations of 0 uppercase letters in incenta\administrator
Get_Pwnam_internals didn't find user [INCENTA\administrator]!
Finding user administrator
Trying _Get_Pwnam(), username as lowercase is administrator
Trying _Get_Pwnam(), username as uppercase is ADMINISTRATOR
Checking combinations of 0 uppercase letters in administrator
Get_Pwnam_internals didn't find user [administrator]!
Finding user administrator
Trying _Get_Pwnam(), username as lowercase is administrator
Trying _Get_Pwnam(), username as uppercase is ADMINISTRATOR
Checking combinations of 0 uppercase letters in administrator
Get_Pwnam_internals didn't find user [administrator]!
Username INCENTA\administrator is invalid on this system
Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:130

So then I discovered I had not added the nmbd and winbindd daemons to my startup and they were not running.  I started them, and poof I could see the share from windows computer management.  I was all happy and then I discovered that when I changed any permissions and clicked ok I got a fat old "Unable to Save Changes: Access is Denied"

So upon further investigation with smbd in interactive mode I noticed it was saying UID - 46389275 (not sure if that was the actual number but something like that) did not have the SeDiskOperatorPrivilege set.  I double checked and it did have it set.  I set it for Domain Admins, Administrators, Administrator, etc and no go. 

I then did an "id administrator" and it showed me that same UID, but not group info or anything like it had on the domain controller.  I then did "id tmulkey" and it showed me the same info (same excact ID's) for every single domain users.  I figured that wasn't right.

I then discovered a typo in my smb.conf on the file server.  I had "   idmap config *:range = 70001=80000" and it should have been "   idmap config *:range = 70001-80000"  I fixed that and restarted everything and still no go.  I poked around some more and triple checked the rest of my smb.conf.

I finally decided if I made one typo I may have made another.  So I went ahead and did a cut and paste from the original howto into my smb.conf (should have done that in the first place) and changed my server and domain names.  I again restarted everything and I can now see and manage my shares.

I still get the RPC error, which I would like to resolve at some point, but after clicking OK it goes right on by it and I can set permissions.  

So the problem appears to be forgetting to add daemons to start automatically and fat fingers!  I guess I can't blame this one on the developers.  When I get this all setup I am going to wipe it and set it up again from my notes and do a step by step how-to (which I have to do for my own documentation anyway) and find somewhere to post it online.  I think there are a lot of other Admins out there with some limited Linux knowledge that would benefit from a step by step on this common setup since Microsoft has taken away all Upgrade Licneses and expects you to buy Software Assurance on everything, it just isn't in a lot of people IT budgets to spend that kind of cash right now. 

Thanks for all your help. 


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of mourik jan heupink - merit
Sent: Monday, September 29, 2014 2:54 PM
To: samba at lists.samba.org
Subject: Re: [Samba] RPC, DCOM, 1745 and Other Errors

Hi John,

Ok, now I understand, yes: (re)Joining a new dc using a name that already existed is a bad idea.

MJ

>> MJ
>  From what I remember if you try and rejoin a DC with the same name 
> some bad this happen when you try and remove it a second time. I have 
> had this happen on a first removal. This was done on a 2003 domain 
> that was upgraded to 2008R2 then joined a samba 4 AD server to it. 
> After that we did a dcpromo on the old MS AD server. That failed and 
> had to do a force. After the force it left the meta data that could not be removed.
> After a few week our users were unable to login to our terminal server 
> and a few weeks after that no one could authenticate to the domain.
>
> This is a known problem that has been posted on the dev list several 
> times along with the DNS issues that go with this bug.
>
> Jonn
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list