[Samba] "net rpc" commands don’t work on Samba AD DC
Alnis Morics
alnis.moritz at gmail.com
Sun Jan 29 16:27:01 UTC 2017
Hello,
I built Samba 4.5.4 on a FreeBSD 11.0 machine, and I’m trying to set up
an AD DC with a file share.
So I did this:
- enabled ACLs on my UFS2 filesystem (before compilation)
- successfully provisioned (rfc2307, internal DNS)
- tested local shares, DNS, Kerberos
- adjusted NTPd as suggested in Wiki
- added this to the global section of smb.conf:
template shell = /usr/sbin/nologin
template homedir = /home/%U
- changed these lines in /etc/nsswitch.conf:
passwd: files winbind
group: files winbind
- Made a symlink for NSS:
ln -s /usr/local/samba/lib/nss_winbind.so.1 /usr/local/lib/nss/
And winbindd seems to work. I can look up domain users:
# getent passwd Administrator
RW\administrator:*:0:20::/home/administrator:/usr/sbin/nologin
And change file ownerships to the domain users:
# touch testfile
# ll testfile
-rw-r--r-- 1 root wheel 0 Jan 28 19:25 testfile
# chown user1:"domain users" testfile
# ll testfile
-rw-r--r-- 1 RW\user1 staff 0 Jan 28 19:25 testfile
But when I try to grant Domain Admins a SeDiskOperatorPrivilege, I get this:
# net rpc rights grant "RW\Domain Admins" SeDiskOperatorPrivilege -U
"RW\administrator"
Enter RW\administrator's password:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_UNSUCCESSFUL
I found out that other net rpc commands don’t work either, e.g.:
# net rpc rights list -U administrator
Enter administrator's password:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_UNSUCCESSFUL
The rpc service seems to be running:
# samba-tool testparm --parameter-name='server services'
s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd,
kcc, dnsupdate, dns
I tried to map the root user to the domain Administrator but nothing
changed.
When I raise the log level to 3, the session looks like this:
net rpc rights grant "RW\Domain Admins" SeDiskOperatorPrivilege -U
"RW\administrator" -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
added interface rl0 ip=192.168.0.192 bcast=192.168.0.255
netmask=255.255.255.0
Enter RW\administrator's password:
Connecting to 127.0.0.1 at port 445
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_UNSUCCESSFUL
failed to make ipc connection: NT_STATUS_UNSUCCESSFUL
return code = -1
Now, “sockstat -4” shows that smbd listens on port 445, all
interfaces/addresses:
...
root smbd 2316 47 tcp4 *:445 *:*
...
“failed to make ipc connection” has to do with the IPC$ share, right?
At least I can’t connect to it:
# smbclient //localhost/IPC$ -UAdministrator -c 'ls'
Enter Administrator's password:
tdb(/usr/local/samba/var/lock/gencache_notrans.tdb): tdb_lock failed on
list 129 ltype=3 (Invalid argument)
tdb(/usr/local/samba/var/lock/gencache_notrans.tdb): tdb_lock failed on
list 113 ltype=3 (Invalid argument)
tdb(/usr/local/samba/var/lock/gencache_notrans.tdb): tdb_lock failed on
list 113 ltype=3 (Invalid argument)
tdb(/usr/local/samba/var/lock/gencache_notrans.tdb): tdb_lock failed on
list 113 ltype=3 (Invalid argument)
Domain=[RW] OS=[Windows 6.1] Server=[Samba 4.5.4]
NT_STATUS_ACCESS_DENIED listing \*
#
By the way, I don’t receive these tdb_lock failure messages when
looking up shares as a regular user.
Any ideas why "net rpc" commands don’t work for me?
Thanks,
Alnis
More information about the samba
mailing list