[Samba] realmd and net rpc privileges

Rowland Penny rowlandpenny at googlemail.com
Thu Apr 30 02:13:14 MDT 2015 

On 30/04/15 09:05, Sebastian Gabler wrote:
> There is something to add. Listing existing rights (any rights that 
> is, thus using the current, root, user) fails with the same problem:
>
> # net rpc rights list
> Enter root's password:
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
>
> I conclude of that net cannot authenticate at all for this purpose, 
> and the first step would be to solve that. The question is: How?
>
> Br
>
> Sebastian
>
> Am 29.04.2015 um 14:10 schrieb Sebastian Gabler:
>> Am 29.04.2015 um 12:58 schrieb L.P.H. van Belle:
>>> so tell us what are your errors?
>>>
>>> It's hard to help without them.
>>> Please post your smb.conf ( sanitized ) and your resolv.conf and 
>>> hosts file.
>>> and..
>>> you can try the command :
>>> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege 
>>> -U'SAMDOM\administrator' -S servername.fqdn
>>>
>>> greetz,
>>>
>>> Louis
>> I am getting the error listed here: 
>> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting:
>>
>> # net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege 
>> -U'SAMDOM\administrator'
>> Enter SAMDOM\administrator's password:
>> Could not connect to server 127.0.0.1
>> The username or password was not correct.
>> Connection failed: NT_STATUS_LOGON_FAILURE
>>
>> resolv.conf is automatically filled by Network Manager here (which 
>> gets the settings from the DHCP server, which is the DC in my case)
>> hosts has no entries besides the localhost defaults for 'lo'
>> hostname returns the fqdn DNS resolsution and ntp sync are perefectly 
>> fine. Domain users can log on, and get homes. (I don't care about 
>> that too much, but it's nice to see it working.)
>>
>> This is the testparm dump, with '#' comments:
>>
>> [global]
>>         realm = MYDOMAIN.LOCAL # here is the actual realm value
>>         server string = Samba Server Version %v
>>         security = ADS
>>         username map = /etc/samba/user.map
>>         kerberos method = system keytab
>>         log file = /var/log/samba/log.%m
>>         max log size = 50
>>         load printers = No
>>         printcap name = /dev/null
>>         idmap config * : backend = tdb
>>         map acl inherit = Yes
>>         cups options = raw
>>         vfs objects = acl_xattr
>>
>> [Acls] # this is my test share
>>         path = /srv/samba/acls/
>>         read only = No
>> Looking at these, it comes to my attention that there is no idmap on 
>> that machine (I mean, not as a deamon, not as a command). Could that 
>> be part of the problem?
>> in the -S option above, does servername.fqdn refer to the DC or to 
>> the local machine?
>> Also,  was puzzled if the PW to enter is the root PW or the Domain 
>> Amdin PW. I tried both, always.
>>
>> Best,
>> Sebastian
>

You need to map root to Administrator, add this line to smb.conf: 
username map = /etc/samba/user.map

Then create the map file, it is just one line:

!root = EXAMPLE\Administrator Administrator administrator

Change 'EXAMPLE' for your workgroup name.

Rowland

More information about the samba mailing list