[Samba] Why would "net rpc rights grant" fail ?

Rowland Penny rowlandpenny at googlemail.com
Mon Apr 14 03:42:43 MDT 2014 

On 14/04/14 09:58, Koenraad Lelong wrote:
> op 11-04-14 15:29, L.P.H. van Belle schreef:
>> Hai,
>>
>>
>> The base is always Administrator, this is because of the user mapping 
>> root = ... see below..
>> I'll go modify the script for that. Can you tell which server/script 
>> this is ?
>>
>> Can you try to run it like this.
>>
>> net rpc rights grant YOURDOMAIN\\AdminKoen SeDiskOperatorPrivilege 
>> -UAdministrator
>> ( -U administrator is needed to make it work, its used to 
>> authenticate to you can set the privileges.   )
>>
>> And for full admin rights, add the all the SEPrivileges to AdminKoen.
>> when you run it outside the script you can also kinit Administrator 
>> first.
>>
>> also check if the file in /etc/samba/samba_usermapping exist.
>> !root = YOURDOMAIN\Administrator YOURDOMAIN\administrator
>>
>> If you want to have AdminKoen run as "root" , wel there is only 1 
>> root ( Administrator )
>> then you can change it in the samba_usermapping file.
>>
>> im guessing you have this problem on the member server? that was also 
>> the hard one to get working.
>>
>> Adding a windows 7 pc ( dutch ) should not be any problem, i joined 
>> 32bit and 64bit.
>> but i did use the user  DOMAIN\Administrator for the join.
>> Adminsitrator on the pc is disabled.
>>
>> So if in look at your problem.
>> Your you trying to get AdminKoen to be "root" or just a extra domain 
>> admin.
>> if only as extra domain admin, the adding him to "domain admin" 
>> should be sufficient.
>> and do not disable Administrator.. samba uses it also in the back ground
>> see the /var/lib/samba/private/named.conf.update
>>
>> Can you try again and report back?
>>
>>
>> Best regards,
>>
>> Louis
>
> Hi,
>
> To clarify : I used Admikoen because Administrator could do nothing 
> when used with the script. I used what I thought was the password for 
> Administrator. I even set it again (using Admikoen as Domain Admin) 
> and then copied the new tdb-files over to the new server. Using that 
> password, all tests failed.
> Now I just found out that when I use the root-password (linux-root 
> from the samba3 PDC) for the Administrator in the script, I only have 
> the "net rpc rights grant ..." error.
>
> I then added a usermapping but the error is still there :
> ==========SE Privileges ===============================
> Giving group Domain Admins the SeDiskOperatorPrivilege rights.
> Enter Administrator's password:
> Could not connect to server 127.0.0.1
> Connection failed: NT_STATUS_INVALID_NETWORK_RESPONSE
>
> Maybe related : in my samba3-domain, Administrator can't log in 
> although there is a usermapping : root = administrator. I don't 
> remember doing anything to disable Administrator on samba3, but it's 
> more than 5 years ago. On the samba3 domain, I can login as root though.
>
> I'm using 1-setup-sernet-samba4-ADDC-wheezy.sh, although I don't know 
> if it's the latest version. I downloaded it last monday.
> I modified it to do a classicupgrade and to use the ubuntu 
> sernet-packages.
> All this is on a test-server that will become the prime AD-DC, not a 
> member server.
>
> Anyway,
>
> Many thanks for the help.
>
> Koenraad.
Hi,

As far as I can see (never actually having had to do an upgrade) the 
procedure is:

Make sure the info in your LDAP server is correct (no duplicate SID's etc)

Install samba4 on the same server that LDAP is running on, but do not 
provision

With LDAP running, run the classicupgrade with samba-tool

Once finished, stop LDAP and any DNS. make resolv.conf point to 
'127.0.0.1' and start samba4

Is this basically what you are doing ?

Have you read and understood this page in the wiki ? :

https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29

Once you have your information in AD and Samba4 is running, forget root 
when 'talking' to AD, only use 'Administrator', the user 'root' does not 
exist in AD. You would only use the 'root' user when you are doing 
something that directly affects the machine that samba4 is running on, 
i.e. creating a directory

You talk about moving .tdb files to the new server, Just what did you 
move and to where ?

 From what you have written, I think that you are trying to do all this 
on the new samba4 AD server, is this correct ?

Rowland

More information about the samba mailing list