[Samba] Member Server SeDiskOperatorPrivilege

Tim rintimtim at gmx.net
Sat Jan 10 12:27:34 MST 2015


I rebuild everything. But after setting up the DCs they had the same issue - net rpc rights grant can't connect to server 
I tried the following global parameters in smb.conf:
bind interfaces only = yes
interfaces = lo eth0

And like magic it worked! Samba is now bind to127.0.0.1 (lo) and eth0 and net rpc rights grant works. Try this also on a member server.

Give it a try!

Am 10. Januar 2015 06:58:07 MEZ, schrieb BISI <d3r3kshaw at gmail.com>:
>On 15-01-09 09:19 AM, Tim wrote:
>> It's definitely a problem with backend ad. I don't know what, but
>with ad backend I also cannot list rpc rights on the server because it
>cannot find the user. With rid: no problem.
>> Bug?
>I appear to be about 12 hours behind Tim, except that I am using Debian
>7.7, and (now) following Louis van Belle's script for making a member 
>server with the sernet repos (smbd reports Version 
>The script is at
>Louis' script hangs up at line 406
>> echo {$PASSWORD} | net rpc rights list accounts -UAdministrator
>Enter Administrator's password:
>Could not connect to server
>The username or password was not correct.
>Connection failed: NT_STATUS_LOGON_FAILURE
>I chose to  set up PAMauth in the script, based on the comment
>> ##########  pam autheristation modifications.
>> ## the original files /etc/pam.d/samba and sshd wil be backuped to
>> ## set to 1 if you want winbindd to work.
>unfortunately for me, Louis is off enjoying himself on a ski hill
>any guidance would be greatly appreciated.
>BTW - script and sernet packages do not make the links in /lib64 that 
>the wiki calls for, but the script does replace the default krb5.conf
>also  the DC in this case is a windows 2008 R2 server running at server
>2003 forest and domain functional level
>And before he left, he also mentioned assigning UID/GID to users/groups
>in the AD -- what UID and GID numbers would I assign to a windows DC, 
>and to which users?  The reference he gave didn't really shed any light
>on the subject for me.
>Thanks in advance!
>> Am 9. Januar 2015 17:56:59 MEZ, schrieb Rowland Penny
><rowlandpenny at googlemail.com>:
>>> On 09/01/15 16:48, Tim wrote:
>>>> Definitely.
>>>> With backend=ad only two user can be seen by getent passwd. Then
>>>> changing backend=rid, all users are resolved by getent passwd
>>>> Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny
>>>> <rowlandpenny at googlemail.com>:
>>>>      On 09/01/15 15:45, Tim wrote:
>>>>          That's what I tried to say. I set the gid/uid attribs in
>>>>          tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny
>>>>          <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim
>>>>              When I switch back to backend ad, getent passwd
>>>>              nothing - getent group only returns by adding a
>>>>              group name. There is at least one user and one group
>>>>              Id set in ad.
>>>>          Yes, but do *any* of your AD users have a uidNumber
>>> attribute.
>>>>          Rowland
>>>>              Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny
>>>>              <rowlandpenny at googlemail.com>: On 09/01/15 15:19, Tim
>>>>              wrote: I switched to rid module of idmapping and now
>>>>              winbind offers all groups and I can set
>>>>              SeDiskOperatorPrivilege. getent group and getent
>>>>              are now working! Am 9. Januar 2015 15:21:32 MEZ,
>>>>              Rowland Penny <rowlandpenny at googlemail.com>: On
>>>>              13:47, Tim wrote: Hello all, I have a AD DC based on
>>>>              CentOS7 with sernet samba 4.1.14 with rfc2307 and
>>> function
>>>>              level 2008_R2. This one works so far and I can manage
>>>>              AD from a windows client. Now I setup a member server
>>>>              based on CentOS7 with sernet samba 4.1.14 just like
>>>>              wiki advises with the same smb.conf (realm etc is
>>>>              configured to my needs. I joined the AD and configured
>>>>              nsswitch. wbinfo works so far but getent passwd or
>>>>              group doesn't list domain objects. getent group
>>> testgroup1
>>>>              works, but getent passwd testuser1 does not. I created
>>>>              share in smb.conf. Now I want to set the
>>>>              SeDiskOperatorPrivilege like the wiki advises. But it
>>>>              doesn't work. It says that it can't connect to server
>>>>     <> <>
>>>>              <>. I tried it with net rpc rights
>>>>              'DOM\Domain Admins' SeDiskOperatorPrivilege
>>>>              -U'DOM\administrator' Now I can not access the server
>>> from
>>>>              windows to set share permissions. What to do? The wiki
>>>>              told nothing about kerberos so I did not do anything
>>>>              it. Thanks in advance Hi, you appear to be the second
>>>>              person in two days having a similar, if not the same
>>>>              problem with the sernet packages. I don't think it is
>>>>              kerberos problem, can you check if you have
>>>>              'libnss_winbind.so <http://winbind.so>
>>> <http://winbind.so>
>>>>              <http://winbind.so>.2' anywhere. Rowland I take it
>>>>              this, that you do not have any uidNumber or gidNumber
>>>>              attributes in AD. Rowland
>>>>      OK, then where they inside the range set in smb.conf i.e.
>>> config
>>>>      DOMAIN : range = 10000-999999
>>>>      Rowland
>>> That is strange, if you use the winbind 'ad' backend and have AD
>>> with a uidNumber, then all the users with uidNumbers should be shown
>>> getent passwd, but any users without a uidNumber will not be shown.
>>> The 'rid' backend works differently, it allocates id numbers to each
>>> and
>>> every user.
>>> Rowland
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list