[Samba] "net rpc rights" commands. Connection always fails

Rowland Penny rowlandpenny at googlemail.com
Fri Jul 4 06:11:21 MDT 2014

On 04/07/14 12:17, Johnson, Eric wrote:
> Windows 2012 R2 domain at highest level and one rhel6.5 samba server(3.6)
> Been throwing everything at this for the last few days. I can join to the domain and create ACL enabled shares but this one command I am struggling with.
> $ net rpc rights grant 'BES\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
> Enter administrator's password:
> Could not connect  to server

This shows that 'net' was trying to connect to an AD DC on localhost, so 
it will not work unless the command is actually run a samba4 AD DC.

> Connection failed: NT code 0xc0000418
> $
> Typing nonsense into the username and password gives the same result.
> Perhaps a hint is when I (foolishly) did
> net rpc -S DOMAIN_CONTROLLER rights grant 'BES\user2' SeMachineAccountPrivilege  -Uadministrator
> It worked and  user2 was given the privilege ON THE  domain controller.
Not so foolish, this is the correct way of running the command  on a 
machine that is joined to the domain, '-S' or '--server=' is the only 
way that 'net' knows which machine to connect to.


> Originally I was using sssd/ldap/Kerberos and not winbind, but still had the same error, the machine has been wiped and reinstalled several times
> I have used a far more basic smb.conf without winbind and vfs/acl, but this is my current one.
> *******
> [global]
>     netbios name = fs6
>     workgroup = BES
>     security =  ADS
>     realm = ebs.private.net
>     encrypt passwords = yes
>     interfaces = lo em1
>     bind interfaces only = yes
>     client signing = yes
>     client use spnego = yes
>     kerberos method = secrets and keytab
>     idmap config *:backend = tdb
>     idmap config *:range = 70001-80000
>     idmap config BES:backend = ad
>     idmap config BES:schema_mode = rfc2307
>     idmap config BES:range = 500-40000
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
> I have even done the command from another linux server into the samba server but it to gives the same error
> Could not connect  to server fs6                    <fs6 is the samba server>
> Connection failed: NT code 0xc0000418
> Netstat  shows entries for associated with 139 and 445. Haven't got the actual output, but I could get it.
> I would appreciate it if anyone could give me any tests to check basic functionality. I am thinking that it may be to do with groups, but I would expect different types of errors.
> ANY basic tests welcome.

More information about the samba mailing list