[Samba] net rpc rights grant fail to connect 127.0.0.1

Douglas G. Oechsler doguibnu at gmail.com
Mon Jul 13 14:29:10 UTC 2020 

Hello LPH

Em seg., 13 de jul. de 2020 às 09:50, L.P.H. van Belle via samba <
samba at lists.samba.org> escreveu:

> (Ah, just finish my message and Rowland also mosted. Well, see this as
> extra info )
>
> This "should" not be needed.
>
> Run this :
>
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivileges.sh
> bash samba-check-SePrivileges.sh
> And you see all default settings.
>
>
the answer:
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
Could not connect to server E-PLANO.ad.mydomain.br
Other credential caches present, use -A to destroy all




> And you should see: (everyhere) but i picked SeDiskOperatorPrivilege as
> example
>
> SeDiskOperatorPrivilege:
>   BUILTIN\Administrators
>
> "DOMAIN\Domain Admins" is by default a member of "BUILTIN\Administrators"
>
> So im wondering why you need "SAMDOM\Unix Admins" to
> SeDiskOperatorPrivilege
> When you can add "SAMDOM\Unix Admins" to the windows group "DOMAIN\Domain
> Admins"
> With the same result in the end. Unix admin having rights like "dom
> admins"
>
> Yes, you are right about observation. I am only follow the samba wiki


>
> So can you explain it a bit why you want to set it? there might also be a
> good reason to.
> But i dont know if thats the case.
>
> You told all


> Also, to the source source of this.
> "could not connect to server 127.0.0.1 connection failed:
> NT_STATUS_CONNECTION_REFUSED"
>
> I see your running the AD-DC as fileserver.
> Then you cant use the "net" command.
>
> NO! I am trying to do the command from Member AD and after it will be AD
file server
*Is the command on the AD-DC server side?*



> Can you post the output of :
>

*From Member AD*


> */etc/hosts*
>

127.0.0.1 localhost
10.1.1.21       E-PLANO.ad.mydomain.br e-plano
# special IPv6 addresses
::1             localhost ipv6-localhost ipv6-loopback

fe00::0         ipv6-localnet

ff00::0         ipv6-mcastprefix
ff02::1         ipv6-allnodes
ff02::2         ipv6-allrouters
ff02::3         ipv6-allhosts



> */etc/resolv.conf *
>

search AD.MYDOMAIN.BR
nameserver 10.1.1.21
nameserver 200.X.X.X



> */etc/krb5.conf *
>

[libdefaults]
default_realm = AD.MYDOMAIN.BR
dns_lookup_realm = false
dns_lookup_kdc = true



> */etc/nsswitch.conf*
>

#passwd: compat winbind
passwd: files winbind
#group: compat winbind
group: files winbind
shadow: compat

#hosts: files mdns_minimal [NOTFOUND=return] dns
hosts: files dns
networks: files dns

services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files

bootparams: files
automount: files nis
aliases: files



> */etc/idmapd.conf (if exists)*
>

[General]

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = localdomain

[Mapping]

Nobody-User = nobody
Nobody-Group = nobody



> *ip a *
>

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
    link/ether 08:00:27:ad:ab:9c brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.16/24 brd 10.1.1.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::542f:faae:915d:db4c/64 scope link noprefixroute
       valid_lft forever preferred_lft forever


> *hostname -f*

E-PLANO.ad.mydomain.br

>
> *hostname -d*

ad.mydomain.br


> *hostname -s*

e-plano


> *hostname -i *

10.1.1.21


>
> * hostname -I*

10.1.1.16

>
> And offcourse the smb.conf



# Global parameters
[global]
bind interfaces only = Yes
dedicated keytab file = /etc/krb5.keytab
interfaces = lo eth0
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
realm = AD.MYDOMAIN.BR
security = ADS
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/etc/user.map
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = MYDOMAIN
idmap config mydomain:unix_primary_group = yes
idmap config mydomain:unix_nss_info = yes
idmap config mydomain:range = 10000-999999
idmap config mydomain:schema_mode = rfc2307
idmap config mydomain:backend = ad
idmap config * : range = 3000-7999
idmap config * : backend = tdb
map acl inherit = Yes
vfs objects = acl_xattr

[eplano]
path = /srv/eplano
read only = No


> Last the ipnummers of your AD-DC, if i was wrong im my asumption above
> that this is the AD-DC.
> That should give us all we need to know.
>
> Greetz,
>
> Louis
>
> Thanks attention
>

Douglas



>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Douglas G. Oechsler via samba
> > Verzonden: maandag 13 juli 2020 14:13
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] net rpc rights grant fail to connect 127.0.0.1
> >
> > Hello!
> >
> > I am trying to do the command:
> > *net rpc rights grant "SAMDOM\Unix Admins" SeDiskOperatorPrivilege -U
> > "SAMDOM\administrator"*
> > *could not connect to server 127.0.0.1*
> > *connection failed: NT_STATUS_CONNECTION_REFUSED*
> >
> > All steps from original samba wiki. The distro is Opensuse
> > 15.1 64 bits, on
> > Oracle VM, static IP.
> > I did read several blogs, docs, samba mailing list. Trying many
> > configurations to solve or connect AD-DC.
> >
> > *some steps: ad-dc*
> > in smb.conf:
> > bind interfaces only = yes
> > interfaces = lo eth0
> >  dns forwarder = IP-AD-DC DNS
> >
> > after command *systemctl status samba-ad-dc*
> >
> > jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.800684,  0]
> > ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> > jul 13 08:58:09 dclinux samba[2146]:
> > /usr/sbin/samba_dnsupdate: Traceback
> > (most recent call last):
> > jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.800882,  0]
> > ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> > jul 13 08:58:09 dclinux samba[2146]:
> > /usr/sbin/samba_dnsupdate:   File
> > "/usr/sbin/samba_dnsupdate", line 56, in <module>
> > jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.800934,  0]
> > ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> > jul 13 08:58:09 dclinux samba[2146]:   /usr/sbin/samba_dnsupdate:
> > import dns.resolver
> > jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.800972,  0]
> > ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> > jul 13 08:58:09 dclinux samba[2146]:   /usr/sbin/samba_dnsupdate:
> > ModuleNotFoundError: No module named 'dns'
> > jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.818318,  0]
> > ../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
> > jul 13 08:58:09 dclinux samba[2146]:  *
> > dnsupdate_nameupdate_done: Failed
> > DNS update with exit code 1*
> >
> > I am lost and do not know what to do.
> >
> > Please, someone can help me?
> >
> > Thanks so much
> >
> > Douglas
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
*Douglas Giovani Oechsler*
e-mail: doguibnu at gmail.com <douglasgiovani at oechsler.com.br>
*Prudentópolis - PR*

More information about the samba mailing list