[Samba] net rpc rights grant fail to connect

L.P.H. van Belle belle at bazuin.nl
Mon Jul 13 14:55:31 UTC 2020

Ok, im bit confused, sorry,.
Ehen i look that the below output, then i see there are multiple things suspecting to go wrong here. 
For example this is a mismatch..  especialy hostname -i & -I  these should be the same or -I should show both. 
Now, if this is the member i would have expected something like this. 

/etc/hosts localhost       E-PLANO.ad.mydomain.br e-plano


for the AD-DC 

For the member 
/etc/hosts localhost       some-DCnameHere.ad.mydomain.br some-DCnameHere


nameserver 200.xx.x.x.xx

and in samba smb.conf a forwarder to the internet if internal DNS is used. 

My advice if this is a fresh domain verify you AD-DC first. i suspect there is more not correct. 
debugging this and having 2 servers with possible faulty settings is a hard cookie..  

Sorry im the bad news bringer.. 



Van: Douglas G. Oechsler [mailto:doguibnu at gmail.com] 
Verzonden: maandag 13 juli 2020 16:29
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] net rpc rights grant fail to connect

Hello LPH

Em seg., 13 de jul. de 2020 às 09:50, L.P.H. van Belle via samba <samba at lists.samba.org> escreveu:

(Ah, just finish my message and Rowland also mosted. Well, see this as extra info )

This "should" not be needed.  

Run this : 
bash samba-check-SePrivileges.sh 
And you see all default settings. 

the answer:
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
Could not connect to server E-PLANO.ad.mydomain.br

Other credential caches present, use -A to destroy all

And you should see: (everyhere) but i picked SeDiskOperatorPrivilege as example


"DOMAIN\Domain Admins" is by default a member of "BUILTIN\Administrators" 

So im wondering why you need "SAMDOM\Unix Admins" to SeDiskOperatorPrivilege 
When you can add "SAMDOM\Unix Admins" to the windows group "DOMAIN\Domain Admins"  
With the same result in the end. Unix admin having rights like "dom admins" 

Yes, you are right about observation. I am only follow the samba wiki 


So can you explain it a bit why you want to set it? there might also be a good reason to. 
But i dont know if thats the case. 

You told all

Also, to the source source of this. 
"could not connect to server connection failed: NT_STATUS_CONNECTION_REFUSED" 

I see your running the AD-DC as fileserver. 
Then you cant use the "net" command. 

NO! I am trying to do the command from Member AD and after it will be AD file server

Is the command on the AD-DC server side? 

Can you post the output of : 

From Member AD
/etc/hosts localhost       E-PLANO.ad.mydomain.br e-plano
# special IPv6 addresses
::1             localhost ipv6-localhost ipv6-loopback

fe00::0         ipv6-localnet

ff00::0         ipv6-mcastprefix
ff02::1         ipv6-allnodes
ff02::2         ipv6-allrouters
ff02::3         ipv6-allhosts


nameserver 200.X.X.X


default_realm = AD.MYDOMAIN.BR
dns_lookup_realm = false
dns_lookup_kdc = true


#passwd: compat winbind
passwd: files winbind
#group: compat winbind
group: files winbind
shadow: compat

#hosts: files mdns_minimal [NOTFOUND=return] dns
hosts: files dns 
networks: files dns

services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files

bootparams: files
automount: files nis
aliases: files

/etc/idmapd.conf (if exists)


Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = localdomain


Nobody-User = nobody
Nobody-Group = nobody

ip a 

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet MailScanner warning: numerical links are often malicious: scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:ad:ab:9c brd ff:ff:ff:ff:ff:ff
    inet MailScanner warning: numerical links are often malicious: brd scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::542f:faae:915d:db4c/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

hostname -f E-PLANO.ad.mydomain.br 

hostname -d ad.mydomain.br
hostname -s e-plano 

hostname -i
hostname -I  

And offcourse the smb.conf 

# Global parameters
bind interfaces only = Yes
dedicated keytab file = /etc/krb5.keytab
interfaces = lo eth0
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
security = ADS
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/etc/user.map
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = MYDOMAIN
idmap config mydomain:unix_primary_group = yes
idmap config mydomain:unix_nss_info = yes
idmap config mydomain:range = 10000-999999
idmap config mydomain:schema_mode = rfc2307
idmap config mydomain:backend = ad
idmap config * : range = 3000-7999
idmap config * : backend = tdb
map acl inherit = Yes
vfs objects = acl_xattr

path = /srv/eplano
read only = No

Last the ipnummers of your AD-DC, if i was wrong im my asumption above that this is the AD-DC. 
That should give us all we need to know. 



Thanks attention



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Douglas G. Oechsler via samba
> Verzonden: maandag 13 juli 2020 14:13
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] net rpc rights grant fail to connect
> Hello!
> I am trying to do the command:
> *net rpc rights grant "SAMDOM\Unix Admins" SeDiskOperatorPrivilege -U
> "SAMDOM\administrator"*
> *could not connect to server*
> *connection failed: NT_STATUS_CONNECTION_REFUSED*
> All steps from original samba wiki. The distro is Opensuse 
> 15.1 64 bits, on
> Oracle VM, static IP.
> I did read several blogs, docs, samba mailing list. Trying many
> configurations to solve or connect AD-DC.
> *some steps: ad-dc*
> in smb.conf:
> bind interfaces only = yes
> interfaces = lo eth0
>  dns forwarder = IP-AD-DC DNS
> after command *systemctl status samba-ad-dc*
> jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.800684,  0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> jul 13 08:58:09 dclinux samba[2146]:   
> /usr/sbin/samba_dnsupdate: Traceback
> (most recent call last):
> jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.800882,  0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> jul 13 08:58:09 dclinux samba[2146]:   
> /usr/sbin/samba_dnsupdate:   File
> "/usr/sbin/samba_dnsupdate", line 56, in <module>
> jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.800934,  0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> jul 13 08:58:09 dclinux samba[2146]:   /usr/sbin/samba_dnsupdate:
> import dns.resolver
> jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.800972,  0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> jul 13 08:58:09 dclinux samba[2146]:   /usr/sbin/samba_dnsupdate:
> ModuleNotFoundError: No module named 'dns'
> jul 13 08:58:09 dclinux samba[2146]: [2020/07/13 08:58:09.818318,  0]
> ../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
> jul 13 08:58:09 dclinux samba[2146]:  * 
> dnsupdate_nameupdate_done: Failed
> DNS update with exit code 1*
> I am lost and do not know what to do.
> Please, someone can help me?
> Thanks so much
> Douglas
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Douglas Giovani Oechsler
e-mail: MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "oechsler.com.br" doguibnu at gmail.com
Prudentópolis - PR

More information about the samba mailing list