[Samba] Why would "net rpc rights grant" fail ?

Koenraad Lelong k.lelong at ace-electronics.be
Sun Apr 13 01:33:29 MDT 2014 

op 11-04-14 15:29, L.P.H. van Belle schreef:
> Hai,
>
>
> The base is always Administrator, this is because of the user mapping root = ... see below..
> I'll go modify the script for that. Can you tell which server/script this is ?

I'm using 1-setup-sernet-samba4-ADDC-wheezy.sh, although I don't know if 
it's the latest version. I downloaded it last monday.
I modified it to do a classicupgrade, and to use the ubuntu sernet-packages.

>
> Can you try to run it like this.
>
> net rpc rights grant YOURDOMAIN\\AdminKoen SeDiskOperatorPrivilege -UAdministrator
> ( -U administrator is needed to make it work, its used to authenticate to you can set the privileges.   )
>

I tried using Administrator, but this does not work. I then tried to log 
in as Administrator in the "old" domain. This fails also. I tried 
modifying its password and use that, but this does not work.
So I tried with my normal "Domain Admin" username AdmiKoen.
I could use root and its password to log in though, both on the "old" 
doamin and the new server.

I modified your script to use -U${SETNTUSER} in stead of Administrator 
in some places. Now I know that was not good

> And for full admin rights, add the all the SEPrivileges to AdminKoen.
> when you run it outside the script you can also kinit Administrator first.
>

So all "Domain Admins" have to have all SEPrivileges ? Adding their 
names to the group is not sufficient ?

> also check if the file in /etc/samba/samba_usermapping exist.
> !root = YOURDOMAIN\Administrator YOURDOMAIN\administrator
>

No mapping file found.

> If you want to have AdminKoen run as "root" , wel there is only 1 root ( Administrator )
> then you can change it in the samba_usermapping file.
>

No I just tried Admikoen because Adminstrator could not log in.
But this raises a question : does the root on the new server needs the 
same password as on the old server ? And with root I mean "linux-root". 
Or are they not related ?

> im guessing you have this problem on the member server? that was also the hard one to get working.
>

No, this is a test-server that will become the prime AD-DC, not a member 
server.

> Adding a windows 7 pc ( dutch ) should not be any problem, i joined 32bit and 64bit.
> but i did use the user  DOMAIN\Administrator for the join.
> Adminsitrator on the pc is disabled.
>

I know it should be not a problem, but since Administrator did not work 
I used AdmiKoen, but I think it's related to the SEPrivileges problem. I 
need to solve this first.

> So if in look at your problem.
> Your you trying to get AdminKoen to be "root" or just a extra domain admin.
> if only as extra domain admin, the adding him to "domain admin" should be sufficient.
> and do not disable Administrator.. samba uses it also in the back ground
> see the /var/lib/samba/private/named.conf.update
>
> Can you try again and report back?
>

Will do on monday.

>
> Best regards,
>
> Louis
>
Many thanks,

Koenraad.

More information about the samba mailing list