[Samba] classicupgrade, net rpc rights grant NT_STATUS_IO_TIMEOUT and NT_STATUS_INTERNAL_ERROR
Rowland Penny
rpenny at samba.org
Mon Mar 11 08:24:21 UTC 2019
On Mon, 11 Mar 2019 07:16:30 +0100
Christian via samba <samba at lists.samba.org> wrote:
> Dear all,
>
> we are transitioning from an openldap / MIT KDC setup to a samba4 AD.
> I am doing this by setting up a samba NT4 domain, populating it from
> LDAP and sticking in the password hashes which I automatically
> extract from the MIT KDC arc4-hmac keys. Then I run the
> classicupgrade. I do this whole thing from cron in a script once a
> day to be able to slowly migrate services. The MIT / openldap and
> samba4 AD servers are on different machines. My script (based on
> LPHvB's instructions) sets privileges in the following way:
>
> [..]
>
> systemctl restart bind9 ntp samba-ad-dc
> sleep 5
> SAMBA_DC_ADMIN_GROUP_CHOICE="BUILTIN\Administrators"
> PRIVS="SeDiskOperatorPrivilege SeTakeOwnershipPrivilege \
> SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege \
> SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege \
> SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege \
> SeDebugPrivilege SeSystemEnvironmentPrivilege
> SeSystemProfilePrivilege \ SeProfileSingleProcessPrivilege
> SeIncreaseBasePriorityPrivilege \ SeLoadDriverPrivilege
> SeCreatePagefilePrivilege \ SeIncreaseQuotaPrivilege
> SeChangeNotifyPrivilege SeUndockPrivilege \ SeManageVolumePrivilege
> SeImpersonatePrivilege SeCreateGlobalPrivilege \
> SeEnableDelegationPrivilege"
>
> samba-tool user setpassword Administrator \
> --newpassword="$SAMBA_NT_ADMIN_PASS"
> echo "$SAMBA_NT_ADMIN_PASS" | kinit Administrator
> for priv in $PRIVS ; do
> while ! net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" $priv
> \ -U "Administrator%$SAMBA_NT_ADMIN_PASS" ; do
> echo "Failed to grant $priv ... Retrying ..."
> sleep 10
> done
> done
>
> Upon running this, I often get NT_STATUS_INTERNAL_ERROR or
> NT_STATUS_IO_TIMEOUT:
>
> Changed password OK
> Password for Administrator at XXXXXXXXXXXXXXXXX:
> Could not connect to server 127.0.0.1
> Connection failed: NT_STATUS_IO_TIMEOUT
> Failed to grant SeDiskOperatorPrivilege ... Retrying ...
> Could not connect to server 127.0.0.1
> Connection failed: NT_STATUS_IO_TIMEOUT
> Failed to grant SeDiskOperatorPrivilege ... Retrying ...
> Could not connect to server 127.0.0.1
> Connection failed: NT_STATUS_INTERNAL_ERROR
> Failed to grant SeDiskOperatorPrivilege ... Retrying ...
> Successfully granted rights.
> Successfully granted rights.
> Successfully granted rights.
>
> Why would that happen? I can put in as much wait time as I want after
> the initial service restart, and it still happens. I obviously work
> around it by repeating until it proceeds, but I do not understand why
> this is necessary. Any hints would be appreciated... Thanks,
>
> Christian
>
>
This looks like a DNS problem, what do you have in /etc/resolv.conf ?
Is Bind9 setting up correctly and running ?
What OS ?
You do not need the 'kinit', you are not doing the changes via kerberos.
Rowland
More information about the samba
mailing list