[Samba] Member Server SeDiskOperatorPrivilege
Rowland Penny
rowlandpenny at googlemail.com
Sat Jan 10 12:48:59 MST 2015
On 10/01/15 19:27, Tim wrote:
> Interesting:
>
> I rebuild everything. But after setting up the DCs they had the same issue - net rpc rights grant can't connect to server 127.0.0.1.
> I tried the following global parameters in smb.conf:
> bind interfaces only = yes
> interfaces = lo eth0
>
> And like magic it worked! Samba is now bind to127.0.0.1 (lo) and eth0 and net rpc rights grant works. Try this also on a member server.
>
> Give it a try!
>
> Am 10. Januar 2015 06:58:07 MEZ, schrieb BISI <d3r3kshaw at gmail.com>:
>> On 15-01-09 09:19 AM, Tim wrote:
>>> It's definitely a problem with backend ad. I don't know what, but
>> with ad backend I also cannot list rpc rights on the server because it
>> cannot find the user. With rid: no problem.
>>> Bug?
>> I appear to be about 12 hours behind Tim, except that I am using Debian
>>
>> 7.7, and (now) following Louis van Belle's script for making a member
>> server with the sernet repos (smbd reports Version
>> 4.1.14-SerNet-Debian-9.wheezy)
>> The script is at
>> https://secure.bazuin.nl/scripts/4-setup-sernet-samba4-MEMBER-wheezy.sh
>>
>> Louis' script hangs up at line 406
>>> echo {$PASSWORD} | net rpc rights list accounts -UAdministrator
>> with
>> Enter Administrator's password:
>> Could not connect to server 127.0.0.1
>> The username or password was not correct.
>> Connection failed: NT_STATUS_LOGON_FAILURE
>>
>> I chose to set up PAMauth in the script, based on the comment
>>> ########## pam autheristation modifications.
>>> ## the original files /etc/pam.d/samba and sshd wil be backuped to
>> *.original
>>> ## set to 1 if you want winbindd to work.
>> unfortunately for me, Louis is off enjoying himself on a ski hill
>> somewhere.
>>
>> any guidance would be greatly appreciated.
>>
>> BTW - script and sernet packages do not make the links in /lib64 that
>> the wiki calls for, but the script does replace the default krb5.conf
>> file.
>>
>> also the DC in this case is a windows 2008 R2 server running at server
>>
>> 2003 forest and domain functional level
>>
>>
>> And before he left, he also mentioned assigning UID/GID to users/groups
>>
>> in the AD -- what UID and GID numbers would I assign to a windows DC,
>> and to which users? The reference he gave didn't really shed any light
>>
>> on the subject for me.
>>
>> Thanks in advance!
>>
>> Derek.
>>
>>>
>>> Am 9. Januar 2015 17:56:59 MEZ, schrieb Rowland Penny
>> <rowlandpenny at googlemail.com>:
>>>> On 09/01/15 16:48, Tim wrote:
>>>>> Definitely.
>>>>>
>>>>> With backend=ad only two user can be seen by getent passwd. Then
>>>>> changing backend=rid, all users are resolved by getent passwd
>>>>>
>>>>> Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny
>>>>> <rowlandpenny at googlemail.com>:
>>>>>
>>>>> On 09/01/15 15:45, Tim wrote:
>>>>>
>>>>> That's what I tried to say. I set the gid/uid attribs in
>> Unix
>>>>> tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny
>>>>> <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim
>> wrote:
>>>>> When I switch back to backend ad, getent passwd
>> returns
>>>>> nothing - getent group only returns by adding a
>> dedicated
>>>>> group name. There is at least one user and one group
>> with
>>>>> Id set in ad.
>>>>>
>>>>> Yes, but do *any* of your AD users have a uidNumber
>>>> attribute.
>>>>> Rowland
>>>>>
>>>>> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny
>>>>> <rowlandpenny at googlemail.com>: On 09/01/15 15:19, Tim
>>>>> wrote: I switched to rid module of idmapping and now
>>>>> winbind offers all groups and I can set
>>>>> SeDiskOperatorPrivilege. getent group and getent
>> passwd
>>>>> are now working! Am 9. Januar 2015 15:21:32 MEZ,
>> schrieb
>>>>> Rowland Penny <rowlandpenny at googlemail.com>: On
>> 09/01/15
>>>>> 13:47, Tim wrote: Hello all, I have a AD DC based on
>>>>> CentOS7 with sernet samba 4.1.14 with rfc2307 and
>>>> function
>>>>> level 2008_R2. This one works so far and I can manage
>> the
>>>>> AD from a windows client. Now I setup a member server
>>>>> based on CentOS7 with sernet samba 4.1.14 just like
>> the
>>>>> wiki advises with the same smb.conf (realm etc is
>>>>> configured to my needs. I joined the AD and configured
>>>>> nsswitch. wbinfo works so far but getent passwd or
>> getent
>>>>> group doesn't list domain objects. getent group
>>>> testgroup1
>>>>> works, but getent passwd testuser1 does not. I created
>> a
>>>>> share in smb.conf. Now I want to set the
>>>>> SeDiskOperatorPrivilege like the wiki advises. But it
>>>>> doesn't work. It says that it can't connect to server
>>>>> 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1>
>>>>> <http://127.0.0.1>. I tried it with net rpc rights
>> grant
>>>>> 'DOM\Domain Admins' SeDiskOperatorPrivilege
>>>>> -U'DOM\administrator' Now I can not access the server
>>>> from
>>>>> windows to set share permissions. What to do? The wiki
>>>>> told nothing about kerberos so I did not do anything
>> to
>>>>> it. Thanks in advance Hi, you appear to be the second
>>>>> person in two days having a similar, if not the same
>>>>> problem with the sernet packages. I don't think it is
>> a
>>>>> kerberos problem, can you check if you have
>>>>> 'libnss_winbind.so <http://winbind.so>
>>>> <http://winbind.so>
>>>>> <http://winbind.so>.2' anywhere. Rowland I take it
>> from
>>>>> this, that you do not have any uidNumber or gidNumber
>>>>> attributes in AD. Rowland
>>>>>
>>>>>
>>>>> OK, then where they inside the range set in smb.conf i.e.
>> idmap
>>>> config
>>>>> DOMAIN : range = 10000-999999
>>>>>
>>>>> Rowland
>>>>>
>>>> That is strange, if you use the winbind 'ad' backend and have AD
>> users
>>>> with a uidNumber, then all the users with uidNumbers should be shown
>> by
>>>> getent passwd, but any users without a uidNumber will not be shown.
>>>>
>>>> The 'rid' backend works differently, it allocates id numbers to each
>>>> and
>>>> every user.
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
Yes, interesting, I have never had to do that, do you have more than one
network card ? can you post your smb.conf from the DC.
Rowland
More information about the samba
mailing list