[Samba] Why would "net rpc rights grant" fail ?

L.P.H. van Belle belle at bazuin.nl
Mon Apr 14 04:00:29 MDT 2014 

Ok, 

first you have the latest script, so thats ok. 
If only the Privileges go wrong atm then thats a "root/Administrator" thingy. 

but.. if its only the Privileges ( on the dc) , i would say, continue with the upgrade first. 
and when its all done, stop samba and bind 
backup /var/cache/bind  /var/cache/samba /var/lib/samba /etc/samba 
start up again and.. im guessing big time, so just try ... 

net rpc rights grant YOURDOMAIN\\"Domain Admins" SeDiskOperatorPrivilege -UAdministrator 
net rpc rights grant YOURDOMAIN\\"Domain Admins" SeDiskOperatorPrivilege -UYOURDOMAIN\\Administrator 
net rpc rights grant YOURDOMAIN\\"Domain Admins" SeDiskOperatorPrivilege -UYOURDOMAIN\\Adminkoen
net rpc rights grant YOURDOMAIN\\"Domain Admins" SeDiskOperatorPrivilege -UAdminkoen
net rpc rights grant YOURDOMAIN\\"Domain Admins" SeDiskOperatorPrivilege -Uroot

and something as : ( /etc/samba/smb.conf ) 
username map = /etc/samba/samba_usermapping

!root = YOURDOMAIN\Administrator YOURDOMAIN\administrator


Best regards, 

Louis



>-----Oorspronkelijk bericht-----
>Van: samba.k.lelong at ace-electronics.be 
>[mailto:samba-bounces at lists.samba.org] Namens Koenraad Lelong
>Verzonden: maandag 14 april 2014 10:59
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Why would "net rpc rights grant" fail ?
>
>op 11-04-14 15:29, L.P.H. van Belle schreef:
>> Hai,
>>
>>
>> The base is always Administrator, this is because of the 
>user mapping root = ... see below..
>> I'll go modify the script for that. Can you tell which 
>server/script this is ?
>>
>> Can you try to run it like this.
>>
>> net rpc rights grant YOURDOMAIN\\AdminKoen 
>SeDiskOperatorPrivilege -UAdministrator
>> ( -U administrator is needed to make it work, its used to 
>authenticate to you can set the privileges.   )
>>
>> And for full admin rights, add the all the SEPrivileges to AdminKoen.
>> when you run it outside the script you can also kinit 
>Administrator first.
>>
>> also check if the file in /etc/samba/samba_usermapping exist.
>> !root = YOURDOMAIN\Administrator YOURDOMAIN\administrator
>>
>> If you want to have AdminKoen run as "root" , wel there is 
>only 1 root ( Administrator )
>> then you can change it in the samba_usermapping file.
>>
>> im guessing you have this problem on the member server? that 
>was also the hard one to get working.
>>
>> Adding a windows 7 pc ( dutch ) should not be any problem, i 
>joined 32bit and 64bit.
>> but i did use the user  DOMAIN\Administrator for the join.
>> Adminsitrator on the pc is disabled.
>>
>> So if in look at your problem.
>> Your you trying to get AdminKoen to be "root" or just a 
>extra domain admin.
>> if only as extra domain admin, the adding him to "domain 
>admin" should be sufficient.
>> and do not disable Administrator.. samba uses it also in the 
>back ground
>> see the /var/lib/samba/private/named.conf.update
>>
>> Can you try again and report back?
>>
>>
>> Best regards,
>>
>> Louis
>
>Hi,
>
>To clarify : I used Admikoen because Administrator could do 
>nothing when 
>used with the script. I used what I thought was the password for 
>Administrator. I even set it again (using Admikoen as Domain 
>Admin) and 
>then copied the new tdb-files over to the new server. Using that 
>password, all tests failed.
>Now I just found out that when I use the root-password 
>(linux-root from 
>the samba3 PDC) for the Administrator in the script, I only have the 
>"net rpc rights grant ..." error.
>
>I then added a usermapping but the error is still there :
>==========SE Privileges ===============================
>Giving group Domain Admins the SeDiskOperatorPrivilege rights.
>Enter Administrator's password:
>Could not connect to server 127.0.0.1
>Connection failed: NT_STATUS_INVALID_NETWORK_RESPONSE
>
>Maybe related : in my samba3-domain, Administrator can't log 
>in although 
>there is a usermapping : root = administrator. I don't remember doing 
>anything to disable Administrator on samba3, but it's more 
>than 5 years 
>ago. On the samba3 domain, I can login as root though.
>
>I'm using 1-setup-sernet-samba4-ADDC-wheezy.sh, although I 
>don't know if 
>it's the latest version. I downloaded it last monday.
>I modified it to do a classicupgrade and to use the ubuntu 
>sernet-packages.
>All this is on a test-server that will become the prime AD-DC, not a 
>member server.
>
>Anyway,
>
>Many thanks for the help.
>
>Koenraad.
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list