[Samba] Why would "net rpc rights grant" fail ?

Koenraad Lelong k.lelong at ace-electronics.be
Sat Apr 12 12:51:57 MDT 2014


op 11-04-14 15:29, L.P.H. van Belle schreef:
> Hai,
>
>
> The base is always Administrator, this is because of the user mapping root = ... see below..
> I'll go modify the script for that. Can you tell which server/script this is ?

I'm using 1-setup-sernet-samba4-ADDC-wheezy.sh, although I don't know if 
it's the latest version. I downloaded it last monday.
I modified it to do a classicupgrade, and to use the ubuntu sernet-packages.

>
> Can you try to run it like this.
>
> net rpc rights grant YOURDOMAIN\\AdminKoen SeDiskOperatorPrivilege -UAdministrator
> ( -U administrator is needed to make it work, its used to authenticate to you can set the privileges.   )

I tried using Administrator, but this does not work. I then tried to log 
in as Administrator in the "old" domain. This fails also. I tried 
modifying its password and use that, but this does not work.
So I tried with my normal "Domain Admin" username AdmiKoen.
I could use root and its password to log in though, both on the "old" 
doamin and the new server.

I modified your script to use -U${SETNTUSER} in stead of Administrator 
in some places. Now I know that was not good ;-)

>
> And for full admin rights, add the all the SEPrivileges to AdminKoen.
> when you run it outside the script you can also kinit Administrator first.

So all "Domain Admins" have to have all SEPrivileges ? Adding their 
names to the group is not sufficient ?

>
> also check if the file in /etc/samba/samba_usermapping exist.
> !root = YOURDOMAIN\Administrator YOURDOMAIN\administrator

No mapping-file found.

>
> If you want to have AdminKoen run as "root" , wel there is only 1 root ( Administrator )
> then you can change it in the samba_usermapping file.

No I just tried Admikoen because Adminstrator could not log in.
But this raises a question : does the root on the new server needs the 
same password as on the old server ? And with root I mean "linux-root". 
Or are they not related ?

>
> im guessing you have this problem on the member server? that was also the hard one to get working.
>

No, this is a test-server that will become the prime AD-DC, not a member 
server.

> Adding a windows 7 pc ( dutch ) should not be any problem, i joined 32bit and 64bit.
> but i did use the user  DOMAIN\Administrator for the join.
> Adminsitrator on the pc is disabled.

I know it should be not a problem, but since Administrator did not work 
I used AdmiKoen, but I think it's related to the SEPrivileges problem. I 
need to solve this first.

>
> So if in look at your problem.
> Your you trying to get AdminKoen to be "root" or just a extra domain admin.
> if only as extra domain admin, the adding him to "domain admin" should be sufficient.
> and do not disable Administrator.. samba uses it also in the back ground
> see the /var/lib/samba/private/named.conf.update
>
> Can you try again and report back?

Will do on monday.

>
>
> Best regards,
>
> Louis
>

Many thanks,

Koenraad.



More information about the samba mailing list