[Samba] classicupgrade, net rpc rights grant NT_STATUS_IO_TIMEOUT and NT_STATUS_INTERNAL_ERROR

Tue Mar 12 09:16:39 UTC 2019

On Tue, 12 Mar 2019 01:47:53 +0100
Christian via samba <samba at lists.samba.org> wrote:

> Am 11.03.2019 um 09:24 schrieb Rowland Penny via samba:
> > On Mon, 11 Mar 2019 07:16:30 +0100
> > Christian via samba <samba at lists.samba.org> wrote:
> >
> >> Dear all,
> >>
> >> we are transitioning from an openldap / MIT KDC setup to a samba4
> >> AD. I am doing this by setting up a samba NT4 domain, populating
> >> it from LDAP and sticking in the password hashes which I
> >> automatically extract from the MIT KDC arc4-hmac keys. Then I run
> >> the classicupgrade. I do this whole thing from cron in a script
> >> once a day to be able to slowly migrate services. The MIT /
> >> openldap and samba4 AD servers are on different machines. My
> >> script (based on LPHvB's instructions) sets privileges in the
> >> following way:
> >>
> >> [..]
> >>
> >> systemctl restart bind9 ntp samba-ad-dc
> >> sleep 5
> >> SAMBA_DC_ADMIN_GROUP_CHOICE="BUILTIN\Administrators"
> >> PRIVS="SeDiskOperatorPrivilege SeTakeOwnershipPrivilege \
> >> SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege \
> >> SePrintOperatorPrivilege SeAddUsersPrivilege
> >> SeDiskOperatorPrivilege \ SeSecurityPrivilege
> >> SeSystemtimePrivilege SeShutdownPrivilege \ SeDebugPrivilege
> >> SeSystemEnvironmentPrivilege SeSystemProfilePrivilege \
> >> SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege \
> >> SeLoadDriverPrivilege SeCreatePagefilePrivilege \
> >> SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege
> >> \ SeManageVolumePrivilege SeImpersonatePrivilege
> >> SeCreateGlobalPrivilege \ SeEnableDelegationPrivilege"
> >>
> >> samba-tool user setpassword Administrator \
> >>   --newpassword="$SAMBA_NT_ADMIN_PASS"
> >> echo "$SAMBA_NT_ADMIN_PASS" | kinit Administrator
> >> for priv in $PRIVS ; do
> >>   while ! net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}"
> >> $priv \ -U "Administrator%$SAMBA_NT_ADMIN_PASS" ; do
> >>     echo "Failed to grant $priv ... Retrying ..."
> >>     sleep 10
> >>   done
> >> done
> >>
> >> Upon running this, I often get NT_STATUS_INTERNAL_ERROR or
> >> NT_STATUS_IO_TIMEOUT:
> >>
> >> Changed password OK
> >> Password for Administrator at XXXXXXXXXXXXXXXXX:
> >> Could not connect to server 127.0.0.1
> >> Connection failed: NT_STATUS_IO_TIMEOUT
> >> Failed to grant SeDiskOperatorPrivilege ... Retrying ...
> >> Could not connect to server 127.0.0.1
> >> Connection failed: NT_STATUS_IO_TIMEOUT
> >> Failed to grant SeDiskOperatorPrivilege ... Retrying ...
> >> Could not connect to server 127.0.0.1
> >> Connection failed: NT_STATUS_INTERNAL_ERROR
> >> Failed to grant SeDiskOperatorPrivilege ... Retrying ...
> >> Successfully granted rights.
> >> Successfully granted rights.
> >> Successfully granted rights.
> >>
> >> Why would that happen? I can put in as much wait time as I want
> >> after the initial service restart, and it still happens. I
> >> obviously work around it by repeating until it proceeds, but I do
> >> not understand why this is necessary. Any hints would be
> >> appreciated... Thanks,
> >>
> >> Christian
> >>
> >>
> > This looks like a DNS problem, what do you have
> > in /etc/resolv.conf ? Is Bind9 setting up correctly and running ?
> 
> Yep. /etc/resolv.conf points to 127.0.0.1 only. Not sure DNS is the
> issue here as it says it cannot somehow talk to 127.0.0.1...

Try changing '127.0.0.1' to the DC's actual ipaddress.

> 
> > What OS ?
> Debian stable with LPHvB 4.8 packages.

Good, you are using the same packages as myself and it works for me, so
it sounds like it is a configuration problem somewhere.

Can you post the following files:
/etc/resolv.conf
/etc/hostname
/etc/hosts
/etc/krb5
/etc/bind/named.conf
/etc/bind/named.options
/etc/bind/named.local

> > You do not need the 'kinit', you are not doing the changes via
> > kerberos.
> 
> I do that for something later down the road in the script when I use
> samba-tool to add DNS records...

Understood ;-)

Rowland