[Samba] Why would "net rpc rights grant" fail ?

[Koenraad Lelong]

op 14-04-14 11:42, Rowland Penny schreef:

> Hi,
>
> As far as I can see (never actually having had to do an upgrade) the
> procedure is:
>
> Make sure the info in your LDAP server is correct (no duplicate SID's etc)

I don't use ldap on samba3. It a tdb-file setup.

>
> Install samba4 on the same server that LDAP is running on, but do not
> provision
>
> With LDAP running, run the classicupgrade with samba-tool
>
> Once finished, stop LDAP and any DNS. make resolv.conf point to
> '127.0.0.1' and start samba4
>
> Is this basically what you are doing ?
>
> Have you read and understood this page in the wiki ? :
>
> https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29
>
I read it several times, and I understand it I think.

>
> Once you have your information in AD and Samba4 is running, forget root
> when 'talking' to AD, only use 'Administrator', the user 'root' does not
> exist in AD. You would only use the 'root' user when you are doing
> something that directly affects the machine that samba4 is running on,
> i.e. creating a directory

I'll forget about root in samba, but what about the root that's in 
samba-tool user list ? Can I remove that ? That root is member of 
"Domain Admins".

>
> You talk about moving .tdb files to the new server, Just what did you
> move and to where ?

I copied all tdb-files I could find on the samba3-server over to a 
temp-directory on the new server. Also the smb.conf of the old server, 
passwd and group, group_mapping.ldb.

>
>  From what you have written, I think that you are trying to do all this
> on the new samba4 AD server, is this correct ?
>

Yes, it's on the new samba4 server.

Koenraad.

P.S. I was writing this when I saw your new response. I tried something 
new, but this does not work : I saw your remark about resolv.conf 
pointing to 127.0.0.1. I had it to 192.168.200.10, which is the address 
of the NIC of the samba4 server.