[Samba] realmd and net rpc privileges

Rowland Penny rowlandpenny at googlemail.com
Wed Apr 29 06:53:09 MDT 2015 

On 29/04/15 13:10, Sebastian Gabler wrote:
> Am 29.04.2015 um 12:58 schrieb L.P.H. van Belle:
>> so tell us what are your errors?
>>
>> It's hard to help without them.
>> Please post your smb.conf ( sanitized ) and your resolv.conf and 
>> hosts file.
>> and..
>> you can try the command :
>> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege 
>> -U'SAMDOM\administrator' -S servername.fqdn
>>
>> greetz,
>>
>> Louis
> I am getting the error listed here: 
> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting:
>
> # net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege 
> -U'SAMDOM\administrator'
> Enter SAMDOM\administrator's password:
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
>
> resolv.conf is automatically filled by Network Manager here (which 
> gets the settings from the DHCP server, which is the DC in my case)

Yes, but what is in resolv.conf ??
Unless it contains something like this:

search <your AD dns domain>
nameserver <your AD DCs ipaddress>

it will probably never work.


> hosts has no entries besides the localhost defaults for 'lo'

Are you running your fileserver as a DHCP client ?


>
> hostname returns the fqdn DNS resolsution and ntp sync are perefectly 
> fine. Domain users can log on, and get homes. (I don't care about that 
> too much, but it's nice to see it working.)
>
> This is the testparm dump, with '#' comments:
>
> [global]
>         realm = MYDOMAIN.LOCAL # here is the actual realm value
>         server string = Samba Server Version %v
>         security = ADS
>         username map = /etc/samba/user.map
>         kerberos method = system keytab
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         load printers = No
>         printcap name = /dev/null
>         idmap config * : backend = tdb
>         map acl inherit = Yes
>         cups options = raw
>         vfs objects = acl_xattr
>
> [Acls] # this is my test share
>         path = /srv/samba/acls/
>         read only = No
> Looking at these, it comes to my attention that there is no idmap on 
> that machine (I mean, not as a deamon, not as a command). Could that 
> be part of the problem?
> in the -S option above, does servername.fqdn refer to the DC or to the 
> local machine?
> Also,  was puzzled if the PW to enter is the root PW or the Domain 
> Amdin PW. I tried both, always.
>

For the -S option, use the AD DC name, or you could use -I <AD DC ipaddress>

Rowland
> Best,
> Sebastian

More information about the samba mailing list