[Samba] "net rpc rights" commands. Connection always fails

Rowland Penny rowlandpenny at googlemail.com
Fri Jul 4 06:11:21 MDT 2014 

On 04/07/14 12:17, Johnson, Eric wrote:
> Windows 2012 R2 domain at highest level and one rhel6.5 samba server(3.6)
>   
> Been throwing everything at this for the last few days. I can join to the domain and create ACL enabled shares but this one command I am struggling with.
>
> $ net rpc rights grant 'BES\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
> Enter administrator's password:
> Could not connect  to server 127.0.0.1

This shows that 'net' was trying to connect to an AD DC on localhost, so 
it will not work unless the command is actually run a samba4 AD DC.

> Connection failed: NT code 0xc0000418
> $
> Typing nonsense into the username and password gives the same result.
>
> Perhaps a hint is when I (foolishly) did
> net rpc -S DOMAIN_CONTROLLER rights grant 'BES\user2' SeMachineAccountPrivilege  -Uadministrator
> It worked and  user2 was given the privilege ON THE  domain controller.
Not so foolish, this is the correct way of running the command  on a 
machine that is joined to the domain, '-S' or '--server=' is the only 
way that 'net' knows which machine to connect to.

Rowland

>
> Originally I was using sssd/ldap/Kerberos and not winbind, but still had the same error, the machine has been wiped and reinstalled several times
> I have used a far more basic smb.conf without winbind and vfs/acl, but this is my current one.
>
> *******
> [global]
>     netbios name = fs6
>     workgroup = BES
>     security =  ADS
>     realm = ebs.private.net
>     encrypt passwords = yes
>     interfaces = 155.198.41.0/24 127.0.0.1 lo em1
>     bind interfaces only = yes
>     client signing = yes
>     client use spnego = yes
>     kerberos method = secrets and keytab
>     idmap config *:backend = tdb
>     idmap config *:range = 70001-80000
>     idmap config BES:backend = ad
>     idmap config BES:schema_mode = rfc2307
>     idmap config BES:range = 500-40000
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
> I have even done the command from another linux server into the samba server but it to gives the same error
> Could not connect  to server fs6                    <fs6 is the samba server>
> Connection failed: NT code 0xc0000418
>
> Netstat  shows entries for 127.0.0.1 associated with 139 and 445. Haven't got the actual output, but I could get it.
>
> I would appreciate it if anyone could give me any tests to check basic functionality. I am thinking that it may be to do with groups, but I would expect different types of errors.
> ANY basic tests welcome.
>
>

More information about the samba mailing list