[Samba] classicupgrade, net rpc rights grant NT_STATUS_IO_TIMEOUT and NT_STATUS_INTERNAL_ERROR

Rowland Penny rpenny at samba.org
Mon Mar 11 08:24:21 UTC 2019 

On Mon, 11 Mar 2019 07:16:30 +0100
Christian via samba <samba at lists.samba.org> wrote:

> Dear all,
> 
> we are transitioning from an openldap / MIT KDC setup to a samba4 AD.
> I am doing this by setting up a samba NT4 domain, populating it from
> LDAP and sticking in the password hashes which I automatically
> extract from the MIT KDC arc4-hmac keys. Then I run the
> classicupgrade. I do this whole thing from cron in a script once a
> day to be able to slowly migrate services. The MIT / openldap and
> samba4 AD servers are on different machines. My script (based on
> LPHvB's instructions) sets privileges in the following way:
> 
> [..]
> 
> systemctl restart bind9 ntp samba-ad-dc
> sleep 5
> SAMBA_DC_ADMIN_GROUP_CHOICE="BUILTIN\Administrators"
> PRIVS="SeDiskOperatorPrivilege SeTakeOwnershipPrivilege \
> SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege \
> SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege \
> SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege \
> SeDebugPrivilege SeSystemEnvironmentPrivilege
> SeSystemProfilePrivilege \ SeProfileSingleProcessPrivilege
> SeIncreaseBasePriorityPrivilege \ SeLoadDriverPrivilege
> SeCreatePagefilePrivilege \ SeIncreaseQuotaPrivilege
> SeChangeNotifyPrivilege SeUndockPrivilege \ SeManageVolumePrivilege
> SeImpersonatePrivilege SeCreateGlobalPrivilege \
> SeEnableDelegationPrivilege"
> 
> samba-tool user setpassword Administrator \
>   --newpassword="$SAMBA_NT_ADMIN_PASS"
> echo "$SAMBA_NT_ADMIN_PASS" | kinit Administrator
> for priv in $PRIVS ; do
>   while ! net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" $priv
> \ -U "Administrator%$SAMBA_NT_ADMIN_PASS" ; do
>     echo "Failed to grant $priv ... Retrying ..."
>     sleep 10
>   done
> done
> 
> Upon running this, I often get NT_STATUS_INTERNAL_ERROR or
> NT_STATUS_IO_TIMEOUT:
> 
> Changed password OK
> Password for Administrator at XXXXXXXXXXXXXXXXX:
> Could not connect to server 127.0.0.1
> Connection failed: NT_STATUS_IO_TIMEOUT
> Failed to grant SeDiskOperatorPrivilege ... Retrying ...
> Could not connect to server 127.0.0.1
> Connection failed: NT_STATUS_IO_TIMEOUT
> Failed to grant SeDiskOperatorPrivilege ... Retrying ...
> Could not connect to server 127.0.0.1
> Connection failed: NT_STATUS_INTERNAL_ERROR
> Failed to grant SeDiskOperatorPrivilege ... Retrying ...
> Successfully granted rights.
> Successfully granted rights.
> Successfully granted rights.
> 
> Why would that happen? I can put in as much wait time as I want after
> the initial service restart, and it still happens. I obviously work
> around it by repeating until it proceeds, but I do not understand why
> this is necessary. Any hints would be appreciated... Thanks,
> 
> Christian
> 
> 

This looks like a DNS problem, what do you have in /etc/resolv.conf ?
Is Bind9 setting up correctly and running ?
What OS ?

You do not need the 'kinit', you are not doing the changes via kerberos.

Rowland

More information about the samba mailing list