[Samba] Member Server SeDiskOperatorPrivilege
Tim
rintimtim at gmx.net
Sat Jan 10 14:11:06 MST 2015
I'm not at work right now. Smb.conf is nearly exact the same standard after provisioning with rfc2307 except for these both parameters.
My server has four NICs, but only one is used and connected.
Am 10. Januar 2015 20:48:59 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:
>On 10/01/15 19:27, Tim wrote:
>> Interesting:
>>
>> I rebuild everything. But after setting up the DCs they had the same
>issue - net rpc rights grant can't connect to server 127.0.0.1.
>> I tried the following global parameters in smb.conf:
>> bind interfaces only = yes
>> interfaces = lo eth0
>>
>> And like magic it worked! Samba is now bind to127.0.0.1 (lo) and eth0
>and net rpc rights grant works. Try this also on a member server.
>>
>> Give it a try!
>>
>> Am 10. Januar 2015 06:58:07 MEZ, schrieb BISI <d3r3kshaw at gmail.com>:
>>> On 15-01-09 09:19 AM, Tim wrote:
>>>> It's definitely a problem with backend ad. I don't know what, but
>>> with ad backend I also cannot list rpc rights on the server because
>it
>>> cannot find the user. With rid: no problem.
>>>> Bug?
>>> I appear to be about 12 hours behind Tim, except that I am using
>Debian
>>>
>>> 7.7, and (now) following Louis van Belle's script for making a
>member
>>> server with the sernet repos (smbd reports Version
>>> 4.1.14-SerNet-Debian-9.wheezy)
>>> The script is at
>>>
>https://secure.bazuin.nl/scripts/4-setup-sernet-samba4-MEMBER-wheezy.sh
>>>
>>> Louis' script hangs up at line 406
>>>> echo {$PASSWORD} | net rpc rights list accounts -UAdministrator
>>> with
>>> Enter Administrator's password:
>>> Could not connect to server 127.0.0.1
>>> The username or password was not correct.
>>> Connection failed: NT_STATUS_LOGON_FAILURE
>>>
>>> I chose to set up PAMauth in the script, based on the comment
>>>> ########## pam autheristation modifications.
>>>> ## the original files /etc/pam.d/samba and sshd wil be backuped to
>>> *.original
>>>> ## set to 1 if you want winbindd to work.
>>> unfortunately for me, Louis is off enjoying himself on a ski hill
>>> somewhere.
>>>
>>> any guidance would be greatly appreciated.
>>>
>>> BTW - script and sernet packages do not make the links in /lib64
>that
>>> the wiki calls for, but the script does replace the default
>krb5.conf
>>> file.
>>>
>>> also the DC in this case is a windows 2008 R2 server running at
>server
>>>
>>> 2003 forest and domain functional level
>>>
>>>
>>> And before he left, he also mentioned assigning UID/GID to
>users/groups
>>>
>>> in the AD -- what UID and GID numbers would I assign to a windows
>DC,
>>> and to which users? The reference he gave didn't really shed any
>light
>>>
>>> on the subject for me.
>>>
>>> Thanks in advance!
>>>
>>> Derek.
>>>
>>>>
>>>> Am 9. Januar 2015 17:56:59 MEZ, schrieb Rowland Penny
>>> <rowlandpenny at googlemail.com>:
>>>>> On 09/01/15 16:48, Tim wrote:
>>>>>> Definitely.
>>>>>>
>>>>>> With backend=ad only two user can be seen by getent passwd. Then
>>>>>> changing backend=rid, all users are resolved by getent passwd
>>>>>>
>>>>>> Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny
>>>>>> <rowlandpenny at googlemail.com>:
>>>>>>
>>>>>> On 09/01/15 15:45, Tim wrote:
>>>>>>
>>>>>> That's what I tried to say. I set the gid/uid attribs
>in
>>> Unix
>>>>>> tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland
>Penny
>>>>>> <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim
>>> wrote:
>>>>>> When I switch back to backend ad, getent passwd
>>> returns
>>>>>> nothing - getent group only returns by adding a
>>> dedicated
>>>>>> group name. There is at least one user and one
>group
>>> with
>>>>>> Id set in ad.
>>>>>>
>>>>>> Yes, but do *any* of your AD users have a uidNumber
>>>>> attribute.
>>>>>> Rowland
>>>>>>
>>>>>> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland
>Penny
>>>>>> <rowlandpenny at googlemail.com>: On 09/01/15 15:19,
>Tim
>>>>>> wrote: I switched to rid module of idmapping and
>now
>>>>>> winbind offers all groups and I can set
>>>>>> SeDiskOperatorPrivilege. getent group and getent
>>> passwd
>>>>>> are now working! Am 9. Januar 2015 15:21:32 MEZ,
>>> schrieb
>>>>>> Rowland Penny <rowlandpenny at googlemail.com>: On
>>> 09/01/15
>>>>>> 13:47, Tim wrote: Hello all, I have a AD DC based
>on
>>>>>> CentOS7 with sernet samba 4.1.14 with rfc2307 and
>>>>> function
>>>>>> level 2008_R2. This one works so far and I can
>manage
>>> the
>>>>>> AD from a windows client. Now I setup a member
>server
>>>>>> based on CentOS7 with sernet samba 4.1.14 just like
>>> the
>>>>>> wiki advises with the same smb.conf (realm etc is
>>>>>> configured to my needs. I joined the AD and
>configured
>>>>>> nsswitch. wbinfo works so far but getent passwd or
>>> getent
>>>>>> group doesn't list domain objects. getent group
>>>>> testgroup1
>>>>>> works, but getent passwd testuser1 does not. I
>created
>>> a
>>>>>> share in smb.conf. Now I want to set the
>>>>>> SeDiskOperatorPrivilege like the wiki advises. But
>it
>>>>>> doesn't work. It says that it can't connect to
>server
>>>>>> 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1>
>>>>>> <http://127.0.0.1>. I tried it with net rpc rights
>>> grant
>>>>>> 'DOM\Domain Admins' SeDiskOperatorPrivilege
>>>>>> -U'DOM\administrator' Now I can not access the
>server
>>>>> from
>>>>>> windows to set share permissions. What to do? The
>wiki
>>>>>> told nothing about kerberos so I did not do
>anything
>>> to
>>>>>> it. Thanks in advance Hi, you appear to be the
>second
>>>>>> person in two days having a similar, if not the
>same
>>>>>> problem with the sernet packages. I don't think it
>is
>>> a
>>>>>> kerberos problem, can you check if you have
>>>>>> 'libnss_winbind.so <http://winbind.so>
>>>>> <http://winbind.so>
>>>>>> <http://winbind.so>.2' anywhere. Rowland I take it
>>> from
>>>>>> this, that you do not have any uidNumber or
>gidNumber
>>>>>> attributes in AD. Rowland
>>>>>>
>>>>>>
>>>>>> OK, then where they inside the range set in smb.conf i.e.
>>> idmap
>>>>> config
>>>>>> DOMAIN : range = 10000-999999
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> That is strange, if you use the winbind 'ad' backend and have AD
>>> users
>>>>> with a uidNumber, then all the users with uidNumbers should be
>shown
>>> by
>>>>> getent passwd, but any users without a uidNumber will not be
>shown.
>>>>>
>>>>> The 'rid' backend works differently, it allocates id numbers to
>each
>>>>> and
>>>>> every user.
>>>>>
>>>>> Rowland
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>Yes, interesting, I have never had to do that, do you have more than
>one
>network card ? can you post your smb.conf from the DC.
>
>Rowland
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list