[Samba] Member Server SeDiskOperatorPrivilege
Tim
rintimtim at gmx.net
Sat Jan 10 12:27:34 MST 2015
Interesting:
I rebuild everything. But after setting up the DCs they had the same issue - net rpc rights grant can't connect to server 127.0.0.1.
I tried the following global parameters in smb.conf:
bind interfaces only = yes
interfaces = lo eth0
And like magic it worked! Samba is now bind to127.0.0.1 (lo) and eth0 and net rpc rights grant works. Try this also on a member server.
Give it a try!
Am 10. Januar 2015 06:58:07 MEZ, schrieb BISI <d3r3kshaw at gmail.com>:
>On 15-01-09 09:19 AM, Tim wrote:
>> It's definitely a problem with backend ad. I don't know what, but
>with ad backend I also cannot list rpc rights on the server because it
>cannot find the user. With rid: no problem.
>>
>> Bug?
>
>I appear to be about 12 hours behind Tim, except that I am using Debian
>
>7.7, and (now) following Louis van Belle's script for making a member
>server with the sernet repos (smbd reports Version
>4.1.14-SerNet-Debian-9.wheezy)
>The script is at
>https://secure.bazuin.nl/scripts/4-setup-sernet-samba4-MEMBER-wheezy.sh
>
>Louis' script hangs up at line 406
>> echo {$PASSWORD} | net rpc rights list accounts -UAdministrator
>with
>Enter Administrator's password:
>Could not connect to server 127.0.0.1
>The username or password was not correct.
>Connection failed: NT_STATUS_LOGON_FAILURE
>
>I chose to set up PAMauth in the script, based on the comment
>> ########## pam autheristation modifications.
>> ## the original files /etc/pam.d/samba and sshd wil be backuped to
>*.original
>> ## set to 1 if you want winbindd to work.
>
>unfortunately for me, Louis is off enjoying himself on a ski hill
>somewhere.
>
>any guidance would be greatly appreciated.
>
>BTW - script and sernet packages do not make the links in /lib64 that
>the wiki calls for, but the script does replace the default krb5.conf
>file.
>
>also the DC in this case is a windows 2008 R2 server running at server
>
>2003 forest and domain functional level
>
>
>And before he left, he also mentioned assigning UID/GID to users/groups
>
>in the AD -- what UID and GID numbers would I assign to a windows DC,
>and to which users? The reference he gave didn't really shed any light
>
>on the subject for me.
>
>Thanks in advance!
>
>Derek.
>
>>
>>
>> Am 9. Januar 2015 17:56:59 MEZ, schrieb Rowland Penny
><rowlandpenny at googlemail.com>:
>>> On 09/01/15 16:48, Tim wrote:
>>>> Definitely.
>>>>
>>>> With backend=ad only two user can be seen by getent passwd. Then
>>>> changing backend=rid, all users are resolved by getent passwd
>>>>
>>>> Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny
>>>> <rowlandpenny at googlemail.com>:
>>>>
>>>> On 09/01/15 15:45, Tim wrote:
>>>>
>>>> That's what I tried to say. I set the gid/uid attribs in
>Unix
>>>> tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny
>>>> <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim
>wrote:
>>>>
>>>> When I switch back to backend ad, getent passwd
>returns
>>>> nothing - getent group only returns by adding a
>dedicated
>>>> group name. There is at least one user and one group
>with
>>>> Id set in ad.
>>>>
>>>> Yes, but do *any* of your AD users have a uidNumber
>>> attribute.
>>>> Rowland
>>>>
>>>> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny
>>>> <rowlandpenny at googlemail.com>: On 09/01/15 15:19, Tim
>>>> wrote: I switched to rid module of idmapping and now
>>>> winbind offers all groups and I can set
>>>> SeDiskOperatorPrivilege. getent group and getent
>passwd
>>>> are now working! Am 9. Januar 2015 15:21:32 MEZ,
>schrieb
>>>> Rowland Penny <rowlandpenny at googlemail.com>: On
>09/01/15
>>>> 13:47, Tim wrote: Hello all, I have a AD DC based on
>>>> CentOS7 with sernet samba 4.1.14 with rfc2307 and
>>> function
>>>> level 2008_R2. This one works so far and I can manage
>the
>>>> AD from a windows client. Now I setup a member server
>>>> based on CentOS7 with sernet samba 4.1.14 just like
>the
>>>> wiki advises with the same smb.conf (realm etc is
>>>> configured to my needs. I joined the AD and configured
>>>> nsswitch. wbinfo works so far but getent passwd or
>getent
>>>> group doesn't list domain objects. getent group
>>> testgroup1
>>>> works, but getent passwd testuser1 does not. I created
>a
>>>> share in smb.conf. Now I want to set the
>>>> SeDiskOperatorPrivilege like the wiki advises. But it
>>>> doesn't work. It says that it can't connect to server
>>>> 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1>
>>>> <http://127.0.0.1>. I tried it with net rpc rights
>grant
>>>> 'DOM\Domain Admins' SeDiskOperatorPrivilege
>>>> -U'DOM\administrator' Now I can not access the server
>>> from
>>>> windows to set share permissions. What to do? The wiki
>>>> told nothing about kerberos so I did not do anything
>to
>>>> it. Thanks in advance Hi, you appear to be the second
>>>> person in two days having a similar, if not the same
>>>> problem with the sernet packages. I don't think it is
>a
>>>> kerberos problem, can you check if you have
>>>> 'libnss_winbind.so <http://winbind.so>
>>> <http://winbind.so>
>>>> <http://winbind.so>.2' anywhere. Rowland I take it
>from
>>>> this, that you do not have any uidNumber or gidNumber
>>>> attributes in AD. Rowland
>>>>
>>>>
>>>> OK, then where they inside the range set in smb.conf i.e.
>idmap
>>> config
>>>> DOMAIN : range = 10000-999999
>>>>
>>>> Rowland
>>>>
>>>
>>> That is strange, if you use the winbind 'ad' backend and have AD
>users
>>> with a uidNumber, then all the users with uidNumbers should be shown
>by
>>>
>>> getent passwd, but any users without a uidNumber will not be shown.
>>>
>>> The 'rid' backend works differently, it allocates id numbers to each
>>> and
>>> every user.
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list