[Samba] net rpc rights grant fail to connect 127.0.0.1
L.P.H. van Belle
belle at bazuin.nl
Mon Jul 13 14:55:31 UTC 2020
Ok, im bit confused, sorry,.
Ehen i look that the below output, then i see there are multiple things suspecting to go wrong here.
For example this is a mismatch.. especialy hostname -i & -I these should be the same or -I should show both.
Now, if this is the member i would have expected something like this.
/etc/hosts
127.0.0.1 localhost
10.1.1.16 E-PLANO.ad.mydomain.br e-plano
/etc/resolv.conf
search AD.MYDOMAIN.BR
nameserver 10.1.1.21
for the AD-DC
For the member
/etc/hosts
127.0.0.1 localhost
10.1.1.21 some-DCnameHere.ad.mydomain.br some-DCnameHere
/etc/resolv.conf
search AD.MYDOMAIN.BR
nameserver 10.1.1.21
nameserver 200.xx.x.x.xx
nameserver 8.8.8.8
and in samba smb.conf a forwarder to the internet if internal DNS is used.
My advice if this is a fresh domain verify you AD-DC first. i suspect there is more not correct.
debugging this and having 2 servers with possible faulty settings is a hard cookie..
Sorry im the bad news bringer..
Greetz,
Louis
Van: Douglas G. Oechsler [mailto:doguibnu at gmail.com]
Verzonden: maandag 13 juli 2020 16:29
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] net rpc rights grant fail to connect 127.0.0.1
Hello LPH
Em seg., 13 de jul. de 2020 às 09:50, L.P.H. van Belle via samba <samba at lists.samba.org> escreveu:
(Ah, just finish my message and Rowland also mosted. Well, see this as extra info )
This "should" not be needed.
Run this :
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivileges.sh
bash samba-check-SePrivileges.sh
And you see all default settings.
the answer:
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
Could not connect to server E-PLANO.ad.mydomain.br
Other credential caches present, use -A to destroy all
And you should see: (everyhere) but i picked SeDiskOperatorPrivilege as example
SeDiskOperatorPrivilege:
BUILTIN\Administrators
"DOMAIN\Domain Admins" is by default a member of "BUILTIN\Administrators"
So im wondering why you need "SAMDOM\Unix Admins" to SeDiskOperatorPrivilege
When you can add "SAMDOM\Unix Admins" to the windows group "DOMAIN\Domain Admins"
With the same result in the end. Unix admin having rights like "dom admins"
Yes, you are right about observation. I am only follow the samba wiki
So can you explain it a bit why you want to set it? there might also be a good reason to.
But i dont know if thats the case.
You told all
Also, to the source source of this.
"could not connect to server 127.0.0.1 connection failed: NT_STATUS_CONNECTION_REFUSED"
I see your running the AD-DC as fileserver.
Then you cant use the "net" command.
NO! I am trying to do the command from Member AD and after it will be AD file server
Is the command on the AD-DC server side?
Can you post the output of :
From Member AD
/etc/hosts
127.0.0.1 localhost
10.1.1.21 E-PLANO.ad.mydomain.br e-plano
# special IPv6 addresses
::1 localhost ipv6-localhost ipv6-loopback
fe00::0 ipv6-localnet
ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
/etc/resolv.conf
search AD.MYDOMAIN.BR
nameserver 10.1.1.21
nameserver 200.X.X.X
/etc/krb5.conf
[libdefaults]
default_realm = AD.MYDOMAIN.BR
dns_lookup_realm = false
dns_lookup_kdc = true
/etc/nsswitch.conf
#passwd: compat winbind
passwd: files winbind
#group: compat winbind
group: files winbind
shadow: compat
#hosts: files mdns_minimal [NOTFOUND=return] dns
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files
/etc/idmapd.conf (if exists)
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = localdomain
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet MailScanner warning: numerical links are often malicious: 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:ad:ab:9c brd ff:ff:ff:ff:ff:ff
inet MailScanner warning: numerical links are often malicious: 10.1.1.16/24 brd 10.1.1.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::542f:faae:915d:db4c/64 scope link noprefixroute
valid_lft forever preferred_lft forever
hostname -f E-PLANO.ad.mydomain.br
hostname -d ad.mydomain.br
hostname -s e-plano
hostname -i 10.1.1.21
hostname -I
10.1.1.16
And offcourse the smb.conf
# Global parameters
[global]
bind interfaces only = Yes
dedicated keytab file = /etc/krb5.keytab
interfaces = lo eth0
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
realm = AD.MYDOMAIN.BR
security = ADS
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/etc/user.map
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = MYDOMAIN
idmap config mydomain:unix_primary_group = yes
idmap config mydomain:unix_nss_info = yes
idmap config mydomain:range = 10000-999999
idmap config mydomain:schema_mode = rfc2307
idmap config mydomain:backend = ad
idmap config * : range = 3000-7999
idmap config * : backend = tdb
map acl inherit = Yes
vfs objects = acl_xattr
[eplano]
path = /srv/eplano
read only = No
Last the ipnummers of your AD-DC, if i was wrong im my asumption above that this is the AD-DC.
That should give us all we need to know.
Greetz,
Louis
Thanks attention
Douglas
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Douglas G. Oechsler via samba
> Verzonden: maandag 13 juli 2020 14:13
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] net rpc rights grant fail to connect 127.0.0.1
>
> Hello!
>
> I am trying to do the command:
> *net rpc rights grant "SAMDOM\Unix Admins" SeDiskOperatorPrivilege -U
> "SAMDOM\administrator"*
> *could not connect to server 127.0.0.1*
> *connection failed: NT_STATUS_CONNECTION_REFUSED*
>
> All steps from original samba wiki. The distro is Opensuse
> 15.1 64 bits, on
> Oracle VM, static IP.
> I did read several blogs, docs, samba mailing list. Trying many
> configurations to solve or connect AD-DC.
>
> *some steps: ad-dc*
> in smb.conf:
> bind interfaces only = yes
> interfaces = lo eth0
> dns forwarder = IP-AD-DC DNS
>
> after command *systemctl status samba-ad-dc*
>
> jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.800684, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> jul 13 08:58:09 dclinux samba[2146]:
> /usr/sbin/samba_dnsupdate: Traceback
> (most recent call last):
> jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.800882, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> jul 13 08:58:09 dclinux samba[2146]:
> /usr/sbin/samba_dnsupdate: File
> "/usr/sbin/samba_dnsupdate", line 56, in <module>
> jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.800934, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> jul 13 08:58:09 dclinux samba[2146]: /usr/sbin/samba_dnsupdate:
> import dns.resolver
> jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.800972, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> jul 13 08:58:09 dclinux samba[2146]: /usr/sbin/samba_dnsupdate:
> ModuleNotFoundError: No module named 'dns'
> jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.818318, 0]
> ../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
> jul 13 08:58:09 dclinux samba[2146]: *
> dnsupdate_nameupdate_done: Failed
> DNS update with exit code 1*
>
> I am lost and do not know what to do.
>
> Please, someone can help me?
>
> Thanks so much
>
> Douglas
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Douglas Giovani Oechsler
e-mail: MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "oechsler.com.br" doguibnu at gmail.com
Prudentópolis - PR
More information about the samba
mailing list