[Samba] realmd and net rpc privileges

Sebastian Gabler sequoiamobil at gmx.net
Thu Apr 30 02:05:44 MDT 2015 

There is something to add. Listing existing rights (any rights that is, 
thus using the current, root, user) fails with the same problem:

# net rpc rights list
Enter root's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

I conclude of that net cannot authenticate at all for this purpose, and 
the first step would be to solve that. The question is: How?

Br

Sebastian

Am 29.04.2015 um 14:10 schrieb Sebastian Gabler:
> Am 29.04.2015 um 12:58 schrieb L.P.H. van Belle:
>> so tell us what are your errors?
>>
>> It's hard to help without them.
>> Please post your smb.conf ( sanitized ) and your resolv.conf and 
>> hosts file.
>> and..
>> you can try the command :
>> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege 
>> -U'SAMDOM\administrator' -S servername.fqdn
>>
>> greetz,
>>
>> Louis
> I am getting the error listed here: 
> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting:
>
> # net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege 
> -U'SAMDOM\administrator'
> Enter SAMDOM\administrator's password:
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
>
> resolv.conf is automatically filled by Network Manager here (which 
> gets the settings from the DHCP server, which is the DC in my case)
> hosts has no entries besides the localhost defaults for 'lo'
> hostname returns the fqdn DNS resolsution and ntp sync are perefectly 
> fine. Domain users can log on, and get homes. (I don't care about that 
> too much, but it's nice to see it working.)
>
> This is the testparm dump, with '#' comments:
>
> [global]
>         realm = MYDOMAIN.LOCAL # here is the actual realm value
>         server string = Samba Server Version %v
>         security = ADS
>         username map = /etc/samba/user.map
>         kerberos method = system keytab
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         load printers = No
>         printcap name = /dev/null
>         idmap config * : backend = tdb
>         map acl inherit = Yes
>         cups options = raw
>         vfs objects = acl_xattr
>
> [Acls] # this is my test share
>         path = /srv/samba/acls/
>         read only = No
> Looking at these, it comes to my attention that there is no idmap on 
> that machine (I mean, not as a deamon, not as a command). Could that 
> be part of the problem?
> in the -S option above, does servername.fqdn refer to the DC or to the 
> local machine?
> Also,  was puzzled if the PW to enter is the root PW or the Domain 
> Amdin PW. I tried both, always.
>
> Best,
> Sebastian

More information about the samba mailing list