[Samba] classicupgrade, net rpc rights grant NT_STATUS_IO_TIMEOUT and NT_STATUS_INTERNAL_ERROR

L.P.H. van Belle belle at bazuin.nl
Tue Mar 12 09:23:08 UTC 2019 

Hai, 

I'm preparing for my wintersport vacantion and i must finish some things here. 
So thats why im low profiling atm. 

Try in the command line. 
Remove -UDOM\Adminstrator 
Add : 
-k -S hostname(.fqdn) 

Is expect that to work. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: dinsdag 12 maart 2019 10:17
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] classicupgrade, net rpc rights grant 
> NT_STATUS_IO_TIMEOUT and NT_STATUS_INTERNAL_ERROR
> 
> On Tue, 12 Mar 2019 01:47:53 +0100
> Christian via samba <samba at lists.samba.org> wrote:
> 
> > Am 11.03.2019 um 09:24 schrieb Rowland Penny via samba:
> > > On Mon, 11 Mar 2019 07:16:30 +0100
> > > Christian via samba <samba at lists.samba.org> wrote:
> > >
> > >> Dear all,
> > >>
> > >> we are transitioning from an openldap / MIT KDC setup to a samba4
> > >> AD. I am doing this by setting up a samba NT4 domain, populating
> > >> it from LDAP and sticking in the password hashes which I
> > >> automatically extract from the MIT KDC arc4-hmac keys. Then I run
> > >> the classicupgrade. I do this whole thing from cron in a script
> > >> once a day to be able to slowly migrate services. The MIT /
> > >> openldap and samba4 AD servers are on different machines. My
> > >> script (based on LPHvB's instructions) sets privileges in the
> > >> following way:
> > >>
> > >> [..]
> > >>
> > >> systemctl restart bind9 ntp samba-ad-dc
> > >> sleep 5
> > >> SAMBA_DC_ADMIN_GROUP_CHOICE="BUILTIN\Administrators"
> > >> PRIVS="SeDiskOperatorPrivilege SeTakeOwnershipPrivilege \
> > >> SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege \
> > >> SePrintOperatorPrivilege SeAddUsersPrivilege
> > >> SeDiskOperatorPrivilege \ SeSecurityPrivilege
> > >> SeSystemtimePrivilege SeShutdownPrivilege \ SeDebugPrivilege
> > >> SeSystemEnvironmentPrivilege SeSystemProfilePrivilege \
> > >> SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege \
> > >> SeLoadDriverPrivilege SeCreatePagefilePrivilege \
> > >> SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege 
> SeUndockPrivilege
> > >> \ SeManageVolumePrivilege SeImpersonatePrivilege
> > >> SeCreateGlobalPrivilege \ SeEnableDelegationPrivilege"
> > >>
> > >> samba-tool user setpassword Administrator \
> > >>   --newpassword="$SAMBA_NT_ADMIN_PASS"
> > >> echo "$SAMBA_NT_ADMIN_PASS" | kinit Administrator
> > >> for priv in $PRIVS ; do
> > >>   while ! net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}"
> > >> $priv \ -U "Administrator%$SAMBA_NT_ADMIN_PASS" ; do
> > >>     echo "Failed to grant $priv ... Retrying ..."
> > >>     sleep 10
> > >>   done
> > >> done
> > >>
> > >> Upon running this, I often get NT_STATUS_INTERNAL_ERROR or
> > >> NT_STATUS_IO_TIMEOUT:
> > >>
> > >> Changed password OK
> > >> Password for Administrator at XXXXXXXXXXXXXXXXX:
> > >> Could not connect to server 127.0.0.1
> > >> Connection failed: NT_STATUS_IO_TIMEOUT
> > >> Failed to grant SeDiskOperatorPrivilege ... Retrying ...
> > >> Could not connect to server 127.0.0.1
> > >> Connection failed: NT_STATUS_IO_TIMEOUT
> > >> Failed to grant SeDiskOperatorPrivilege ... Retrying ...
> > >> Could not connect to server 127.0.0.1
> > >> Connection failed: NT_STATUS_INTERNAL_ERROR
> > >> Failed to grant SeDiskOperatorPrivilege ... Retrying ...
> > >> Successfully granted rights.
> > >> Successfully granted rights.
> > >> Successfully granted rights.
> > >>
> > >> Why would that happen? I can put in as much wait time as I want
> > >> after the initial service restart, and it still happens. I
> > >> obviously work around it by repeating until it proceeds, but I do
> > >> not understand why this is necessary. Any hints would be
> > >> appreciated... Thanks,
> > >>
> > >> Christian
> > >>
> > >>
> > > This looks like a DNS problem, what do you have
> > > in /etc/resolv.conf ? Is Bind9 setting up correctly and running ?
> > 
> > Yep. /etc/resolv.conf points to 127.0.0.1 only. Not sure DNS is the
> > issue here as it says it cannot somehow talk to 127.0.0.1...
> 
> Try changing '127.0.0.1' to the DC's actual ipaddress.
> 
> > 
> > > What OS ?
> > Debian stable with LPHvB 4.8 packages.
> 
> Good, you are using the same packages as myself and it works 
> for me, so
> it sounds like it is a configuration problem somewhere.
> 
> Can you post the following files:
> /etc/resolv.conf
> /etc/hostname
> /etc/hosts
> /etc/krb5
> /etc/bind/named.conf
> /etc/bind/named.options
> /etc/bind/named.local
> 
> > > You do not need the 'kinit', you are not doing the changes via
> > > kerberos.
> > 
> > I do that for something later down the road in the script when I use
> > samba-tool to add DNS records...
> 
> Understood ;-)
> 
> Rowland
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list