[Samba] Member Server SeDiskOperatorPrivilege

Rowland Penny rowlandpenny at googlemail.com
Sat Jan 10 12:48:59 MST 2015 

On 10/01/15 19:27, Tim wrote:
> Interesting:
>
> I rebuild everything. But after setting up the DCs they had the same issue - net rpc rights grant can't connect to server 127.0.0.1.
> I tried the following global parameters in smb.conf:
> bind interfaces only = yes
> interfaces = lo eth0
>
> And like magic it worked! Samba is now bind to127.0.0.1 (lo) and eth0 and net rpc rights grant works. Try this also on a member server.
>
> Give it a try!
>
> Am 10. Januar 2015 06:58:07 MEZ, schrieb BISI <d3r3kshaw at gmail.com>:
>> On 15-01-09 09:19 AM, Tim wrote:
>>> It's definitely a problem with backend ad. I don't know what, but
>> with ad backend I also cannot list rpc rights on the server because it
>> cannot find the user. With rid: no problem.
>>> Bug?
>> I appear to be about 12 hours behind Tim, except that I am using Debian
>>
>> 7.7, and (now) following Louis van Belle's script for making a member
>> server with the sernet repos (smbd reports Version
>> 4.1.14-SerNet-Debian-9.wheezy)
>> The script is at
>> https://secure.bazuin.nl/scripts/4-setup-sernet-samba4-MEMBER-wheezy.sh
>>
>> Louis' script hangs up at line 406
>>> echo {$PASSWORD} | net rpc rights list accounts -UAdministrator
>> with
>> Enter Administrator's password:
>> Could not connect to server 127.0.0.1
>> The username or password was not correct.
>> Connection failed: NT_STATUS_LOGON_FAILURE
>>
>> I chose to  set up PAMauth in the script, based on the comment
>>> ##########  pam autheristation modifications.
>>> ## the original files /etc/pam.d/samba and sshd wil be backuped to
>> *.original
>>> ## set to 1 if you want winbindd to work.
>> unfortunately for me, Louis is off enjoying himself on a ski hill
>> somewhere.
>>
>> any guidance would be greatly appreciated.
>>
>> BTW - script and sernet packages do not make the links in /lib64 that
>> the wiki calls for, but the script does replace the default krb5.conf
>> file.
>>
>> also  the DC in this case is a windows 2008 R2 server running at server
>>
>> 2003 forest and domain functional level
>>
>>
>> And before he left, he also mentioned assigning UID/GID to users/groups
>>
>> in the AD -- what UID and GID numbers would I assign to a windows DC,
>> and to which users?  The reference he gave didn't really shed any light
>>
>> on the subject for me.
>>
>> Thanks in advance!
>>
>> Derek.
>>
>>>
>>> Am 9. Januar 2015 17:56:59 MEZ, schrieb Rowland Penny
>> <rowlandpenny at googlemail.com>:
>>>> On 09/01/15 16:48, Tim wrote:
>>>>> Definitely.
>>>>>
>>>>> With backend=ad only two user can be seen by getent passwd. Then
>>>>> changing backend=rid, all users are resolved by getent passwd
>>>>>
>>>>> Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny
>>>>> <rowlandpenny at googlemail.com>:
>>>>>
>>>>>       On 09/01/15 15:45, Tim wrote:
>>>>>
>>>>>           That's what I tried to say. I set the gid/uid attribs in
>> Unix
>>>>>           tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny
>>>>>           <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim
>> wrote:
>>>>>               When I switch back to backend ad, getent passwd
>> returns
>>>>>               nothing - getent group only returns by adding a
>> dedicated
>>>>>               group name. There is at least one user and one group
>> with
>>>>>               Id set in ad.
>>>>>
>>>>>           Yes, but do *any* of your AD users have a uidNumber
>>>> attribute.
>>>>>           Rowland
>>>>>
>>>>>               Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny
>>>>>               <rowlandpenny at googlemail.com>: On 09/01/15 15:19, Tim
>>>>>               wrote: I switched to rid module of idmapping and now
>>>>>               winbind offers all groups and I can set
>>>>>               SeDiskOperatorPrivilege. getent group and getent
>> passwd
>>>>>               are now working! Am 9. Januar 2015 15:21:32 MEZ,
>> schrieb
>>>>>               Rowland Penny <rowlandpenny at googlemail.com>: On
>> 09/01/15
>>>>>               13:47, Tim wrote: Hello all, I have a AD DC based on
>>>>>               CentOS7 with sernet samba 4.1.14 with rfc2307 and
>>>> function
>>>>>               level 2008_R2. This one works so far and I can manage
>> the
>>>>>               AD from a windows client. Now I setup a member server
>>>>>               based on CentOS7 with sernet samba 4.1.14 just like
>> the
>>>>>               wiki advises with the same smb.conf (realm etc is
>>>>>               configured to my needs. I joined the AD and configured
>>>>>               nsswitch. wbinfo works so far but getent passwd or
>> getent
>>>>>               group doesn't list domain objects. getent group
>>>> testgroup1
>>>>>               works, but getent passwd testuser1 does not. I created
>> a
>>>>>               share in smb.conf. Now I want to set the
>>>>>               SeDiskOperatorPrivilege like the wiki advises. But it
>>>>>               doesn't work. It says that it can't connect to server
>>>>>               127.0.0.1 <http://127.0.0.1> <http://127.0.0.1>
>>>>>               <http://127.0.0.1>. I tried it with net rpc rights
>> grant
>>>>>               'DOM\Domain Admins' SeDiskOperatorPrivilege
>>>>>               -U'DOM\administrator' Now I can not access the server
>>>> from
>>>>>               windows to set share permissions. What to do? The wiki
>>>>>               told nothing about kerberos so I did not do anything
>> to
>>>>>               it. Thanks in advance Hi, you appear to be the second
>>>>>               person in two days having a similar, if not the same
>>>>>               problem with the sernet packages. I don't think it is
>> a
>>>>>               kerberos problem, can you check if you have
>>>>>               'libnss_winbind.so <http://winbind.so>
>>>> <http://winbind.so>
>>>>>               <http://winbind.so>.2' anywhere. Rowland I take it
>> from
>>>>>               this, that you do not have any uidNumber or gidNumber
>>>>>               attributes in AD. Rowland
>>>>>
>>>>>
>>>>>       OK, then where they inside the range set in smb.conf i.e.
>> idmap
>>>> config
>>>>>       DOMAIN : range = 10000-999999
>>>>>
>>>>>       Rowland
>>>>>
>>>> That is strange, if you use the winbind 'ad' backend and have AD
>> users
>>>> with a uidNumber, then all the users with uidNumbers should be shown
>> by
>>>> getent passwd, but any users without a uidNumber will not be shown.
>>>>
>>>> The 'rid' backend works differently, it allocates id numbers to each
>>>> and
>>>> every user.
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
Yes, interesting, I have never had to do that, do you have more than one 
network card ? can you post your smb.conf from the DC.

Rowland

More information about the samba mailing list