[Samba] "net rpc" commands don’t work on Samba AD DC

Alnis Morics alnis.moritz at gmail.com
Sun Jan 29 16:27:01 UTC 2017 

Hello,

I built Samba 4.5.4 on a FreeBSD 11.0 machine, and I’m trying to set up 
an AD DC with a file share.

So I did this:
- enabled ACLs on my UFS2 filesystem (before compilation)
- successfully provisioned (rfc2307, internal DNS)
- tested local shares, DNS, Kerberos
- adjusted NTPd as suggested in Wiki
- added this to the global section of smb.conf:
template shell = /usr/sbin/nologin
template homedir = /home/%U

- changed these lines in /etc/nsswitch.conf:
passwd: files winbind
group:  files winbind

- Made a symlink for NSS:
ln -s /usr/local/samba/lib/nss_winbind.so.1 /usr/local/lib/nss/

And winbindd seems to work. I can look up domain users:
# getent passwd Administrator
RW\administrator:*:0:20::/home/administrator:/usr/sbin/nologin

And change file ownerships to the domain users:
# touch testfile
# ll testfile
-rw-r--r--  1 root  wheel  0 Jan 28 19:25 testfile
# chown user1:"domain users" testfile
# ll testfile
-rw-r--r--  1 RW\user1  staff  0 Jan 28 19:25 testfile

But when I try to grant Domain Admins a SeDiskOperatorPrivilege, I get this:

# net rpc rights grant "RW\Domain Admins" SeDiskOperatorPrivilege -U 
"RW\administrator"
Enter RW\administrator's password:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_UNSUCCESSFUL

I found out that other net rpc commands don’t work either, e.g.:
# net rpc rights list -U administrator
Enter administrator's password:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_UNSUCCESSFUL

The rpc service seems to be running:
# samba-tool testparm --parameter-name='server services'
s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, 
kcc, dnsupdate, dns

I tried to map the root user to the domain Administrator but nothing 
changed.

When I raise the log level to 3, the session looks like this:

net rpc rights grant "RW\Domain Admins" SeDiskOperatorPrivilege -U 
"RW\administrator" -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
added interface rl0 ip=192.168.0.192 bcast=192.168.0.255 
netmask=255.255.255.0
Enter RW\administrator's password:
Connecting to 127.0.0.1 at port 445
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_UNSUCCESSFUL
failed to make ipc connection: NT_STATUS_UNSUCCESSFUL
return code = -1

Now, “sockstat -4” shows that smbd listens on port 445, all 
interfaces/addresses:
...
root     smbd       2316  47 tcp4   *:445                 *:*
...

“failed to make ipc connection” has to do with the IPC$ share, right?
At least I can’t connect to it:

# smbclient //localhost/IPC$ -UAdministrator -c 'ls'
Enter Administrator's password:
tdb(/usr/local/samba/var/lock/gencache_notrans.tdb): tdb_lock failed on 
list 129 ltype=3 (Invalid argument)
tdb(/usr/local/samba/var/lock/gencache_notrans.tdb): tdb_lock failed on 
list 113 ltype=3 (Invalid argument)
tdb(/usr/local/samba/var/lock/gencache_notrans.tdb): tdb_lock failed on 
list 113 ltype=3 (Invalid argument)
tdb(/usr/local/samba/var/lock/gencache_notrans.tdb): tdb_lock failed on 
list 113 ltype=3 (Invalid argument)
Domain=[RW] OS=[Windows 6.1] Server=[Samba 4.5.4]
NT_STATUS_ACCESS_DENIED listing \*
#

By the way, I don’t receive these  tdb_lock failure messages when 
looking up shares as a regular user.

Any ideas why "net rpc" commands don’t work for me?

Thanks,
Alnis

More information about the samba mailing list