[Samba] Why would "net rpc rights grant" fail ?

Rowland Penny rowlandpenny at googlemail.com
Mon Apr 14 09:06:37 MDT 2014 

On 14/04/14 15:44, Koenraad Lelong wrote:
> op 14-04-14 11:42, Rowland Penny schreef:
>
>> Hi,
>>
>> As far as I can see (never actually having had to do an upgrade) the
>> procedure is:
>>
>> Make sure the info in your LDAP server is correct (no duplicate SID's 
>> etc)
>
> I don't use ldap on samba3. It a tdb-file setup.
>
>>
>> Install samba4 on the same server that LDAP is running on, but do not
>> provision
>>
>> With LDAP running, run the classicupgrade with samba-tool
>>
>> Once finished, stop LDAP and any DNS. make resolv.conf point to
>> '127.0.0.1' and start samba4
>>
>> Is this basically what you are doing ?
>>
>> Have you read and understood this page in the wiki ? :
>>
>> https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29 
>>
>>
> I read it several times, and I understand it I think.
>
>>
>> Once you have your information in AD and Samba4 is running, forget root
>> when 'talking' to AD, only use 'Administrator', the user 'root' does not
>> exist in AD. You would only use the 'root' user when you are doing
>> something that directly affects the machine that samba4 is running on,
>> i.e. creating a directory
>
> I'll forget about root in samba, but what about the root that's in 
> samba-tool user list ? Can I remove that ? That root is member of 
> "Domain Admins".
>
Yes, I do not have any user called 'root' in my AD, that is what 
'Administrator' is for, he is the windows version of the 'root' user.

>>
>> You talk about moving .tdb files to the new server, Just what did you
>> move and to where ?
>
> I copied all tdb-files I could find on the samba3-server over to a 
> temp-directory on the new server. Also the smb.conf of the old server, 
> passwd and group, group_mapping.ldb.
>

I take it you did this for the classicupgrade and that they are no where 
near /var/lib/samba ?


>>
>>  From what you have written, I think that you are trying to do all this
>> on the new samba4 AD server, is this correct ?
>>
>
> Yes, it's on the new samba4 server.
>

Well, all things being well, it should just work, but at the moment, it 
is not recommended to use the Samba 4 server as a file server and I 
believe that you do not need to run the privilige granting commands on 
the samba4 server.

If you install ldb-tools (this is on debian, it might be different on 
your OS) and then run this command:

ldbsearch -H /var/lib/samba/private/sam.ldb -b DC=example,DC=com -s sub 
"(objectclass=*)" > /root/samba4.ldif

Making sure that sam.ldb is in /var/lib/samba/private and changing 
'DC=example,DC=com' for your suffix, you will get a browsable dump of 
your AD contents (well most of it anyway)

Check it to see if your users and groups are actually there.

> Koenraad.
>
> P.S. I was writing this when I saw your new response. I tried 
> something new, but this does not work : I saw your remark about 
> resolv.conf pointing to 127.0.0.1. I had it to 192.168.200.10, which 
> is the address of the NIC of the samba4 server.
>
Either should work, but localhost should always be 127.0.0.1 and I 
didn't know your servers ip ;-)

Rowland

More information about the samba mailing list