[Samba] Using rpcclient with my NetApp fails

[pisymbol .]

On Wed, Feb 18, 2015 at 5:47 PM, Jeremy Allison <jra at samba.org> wrote:
> On Tue, Feb 17, 2015 at 12:42:20PM -0500, pisymbol . wrote:
>> Hello:
>>
>> I have a Netapp 8.2.2P1 7-Mode connected to my Active Directory domain
>> and the following rpcclient command on CentOS 6.5 is bailing on the
>> following error:
>>
>> could not obtain sid for domain QUEST
>> error: NT_STATUS_ACCESS_DENIED
>>
>> I've tested this with all stable version of 3.6 etc. I have not tried
>> the python based rpcclient command yet though.
>>
>> But after a bit of debugging, it seems that the fetch_machine_sid()
>> function is failing to open up the LSA pipe using the domain's
>> administrative credentials.
>>
>> I have verified that the netapp is joined to the domain, can perform
>> SID lookups, as well as have its own "administrators" group see RID
>> 500 and have full access to the netapp.
>>
>> If I comment out fetch_machine_sid() from rpcclient, everything works
>> fine (I get 'netshareenum' output from all supported levels).
>>
>> Does anyone have any idea why samba and my NetApp aren't playing nice?
>> More specifically, does anyone know why the LSA open policy stuff
>> would fail on a NetApp when using domain administrator creds (RID
>> 500)?
>
> Log a bug at bugzilla.samba.org and upload an rpcclient log
> + wireshare trace of this running successfully against Windows
> and failing against NetApp please !

I've submitted a bug report with NetApp as well.

Jeremy, a more samba-ish related question though:

Why does rpcclient need to call fetch_machine_sid() and subsequently
try to open up the LSA for every type of RPC? i.e. The 'netshareenum'
calls works fine if I just comment this line out.

Thanks for at least reading my post!

-aps