[Samba] classicupgrade, net rpc rights grant NT_STATUS_IO_TIMEOUT and NT_STATUS_INTERNAL_ERROR

Christian chanlists at googlemail.com
Mon Mar 11 06:16:30 UTC 2019 

Dear all,

we are transitioning from an openldap / MIT KDC setup to a samba4 AD. I
am doing this by setting up a samba NT4 domain, populating it from LDAP
and sticking in the password hashes which I automatically extract from
the MIT KDC arc4-hmac keys. Then I run the classicupgrade. I do this
whole thing from cron in a script once a day to be able to slowly
migrate services. The MIT / openldap and samba4 AD servers are on
different machines. My script (based on LPHvB's instructions) sets
privileges in the following way:

[..]

systemctl restart bind9 ntp samba-ad-dc
sleep 5
SAMBA_DC_ADMIN_GROUP_CHOICE="BUILTIN\Administrators"
PRIVS="SeDiskOperatorPrivilege SeTakeOwnershipPrivilege \
SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege \
SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege \
SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege \
SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege \
SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege \
SeLoadDriverPrivilege SeCreatePagefilePrivilege \
SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege \
SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege \
SeEnableDelegationPrivilege"

samba-tool user setpassword Administrator \
  --newpassword="$SAMBA_NT_ADMIN_PASS"
echo "$SAMBA_NT_ADMIN_PASS" | kinit Administrator
for priv in $PRIVS ; do
  while ! net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" $priv \
            -U "Administrator%$SAMBA_NT_ADMIN_PASS" ; do
    echo "Failed to grant $priv ... Retrying ..."
    sleep 10
  done
done

Upon running this, I often get NT_STATUS_INTERNAL_ERROR or
NT_STATUS_IO_TIMEOUT:

Changed password OK
Password for Administrator at XXXXXXXXXXXXXXXXX:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_IO_TIMEOUT
Failed to grant SeDiskOperatorPrivilege ... Retrying ...
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_IO_TIMEOUT
Failed to grant SeDiskOperatorPrivilege ... Retrying ...
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_INTERNAL_ERROR
Failed to grant SeDiskOperatorPrivilege ... Retrying ...
Successfully granted rights.
Successfully granted rights.
Successfully granted rights.

Why would that happen? I can put in as much wait time as I want after
the initial service restart, and it still happens. I obviously work
around it by repeating until it proceeds, but I do not understand why
this is necessary. Any hints would be appreciated... Thanks,

Christian

More information about the samba mailing list