[Samba] net rpc group add by/pass the group scope value
Hi folks, Does anyone have a clue of how to by/pass the group scope value when creating a group in AD by using the net tools? I can delete an AD group, add/remove members from a group but I can't create a group. I reckon it's because of the group scope value (even Power Shell/New-ADGroup prompts for it) $ net -U $ADMIN_USER -S $DC_ADDRESS rpc group add $GROUP_NAME -c $OU Error message: Failed to add group $GROUP_NAME with error: Access is denied. Powershell command (that works fine with the same credentials): New-ADGroup -Name $GROUP_NAME-groupScope global -Path $OU AD is win2k8 server, domain functional level is win2k3 Thanks, Abraham Alawi Linux/UNIX Systems and Storage Specialist | STACC Project Information Management Technology (IMT) CSIRO PLEASE NOTE The information contained in this email may be confidential or privileged. Any unauthorised use or disclosure is prohibited. If you have received this email in error, please delete it immediately and notify the sender by return email. Thank you. To the extent permitted by law, CSIRO does not represent, warrant and/or guarantee that the integrity of this communication has been maintained or that the communication is free of errors, virus, interception or interference. Please consider the environment before printing this email -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc share allowedusers fails half the time?
Hi all, [Please CC me in reply, I'm not subscribed] We have a weird situation on one of our shares, net rpc share allowedusers fails with NT_STATUS_IO_DEVICE_ERROR. Normally the command is run with the password passed on the command-line. If we manually type the password or turn up the debug level, it works. If we turn up the debug output but direct the output to /dev/null or to a file, then it works. If we run net under valgrind (slowing it down) then it works about half the time. So there is some sort of race condition going on I think. Does anyone have any thoughts about fixing this on the server side or working around it client side (Ubuntu precise)? This is the samba client version: Ubuntu precise-updates 2:3.6.3-2ubuntu2.4 This is the server version string: Domain=[XXX] OS=[Windows 7 Professional 7601 Service Pack 1] Server=[Windows 7 Professional 6.1] This is the failing call and error output: cli_rpc_pipe_open_noauth: opened pipe \srvsvc to machine cvision-pc and bound anonymously. srvsvc_NetShareEnumAll: struct srvsvc_NetShareEnumAll in: struct srvsvc_NetShareEnumAll server_unc : * server_unc : 'xx' info_ctr : * info_ctr: struct srvsvc_NetShareInfoCtr level: 0x0001 (1) ctr : union srvsvc_NetShareCtr(case 1) ctr1 : * ctr1: struct srvsvc_NetShareCtr1 count: 0x (0) array: NULL max_buffer : 0x (4294967295) resume_handle: * resume_handle: 0x (0) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype: DCERPC_PKT_REQUEST (0) pfc_flags: 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x (0) call_id : 0x005d (93) u: union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0048 (72) context_id : 0x (0) opnum: 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier: DATA_BLOB length=0 rpc_api_pipe: host xx num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=96, this_data=96, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 cli_api_pipe failed: NT_STATUS_IO_DEVICE_ERROR rpc command function failed! (NT_STATUS_IO_DEVICE_ERROR) return code = -1 -- bye, pabs http://bonedaddy.net/pabs3/ signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc share allowedusers gives Coult not query secdesc for share?
Hi all, [Please CC me in reply, I'm not subscribed] On two of our machines, net rpc share allowedusers gives the error Coult not query secdesc for share, partial debug log (-d10) below. The servers are both running Windows Server 2008 R2 Standard 6.1 but we have other servers running the same version of Windows so I don't think that is the issue. This is definitely not a password issue since changing the password sent gives a very different error. Does anyone know what needs to be changed on the Windows side to allow querying security descriptors remotely? Is this a samba bug? foo srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo in: struct srvsvc_NetShareGetInfo server_unc : * server_unc : 'bar' share_name : 'foo' level: 0x01f6 (502) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype: DCERPC_PKT_REQUEST (0) pfc_flags: 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x (0) call_id : 0x0067 (103) u: union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0038 (56) context_id : 0x (0) opnum: 0x0010 (16) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier: DATA_BLOB length=0 rpc_api_pipe: host bar num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=80, this_data=80, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype: DCERPC_PKT_RESPONSE (2) pfc_flags: 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x (0) call_id : 0x0067 (103) u: union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000c (12) context_id : 0x (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [] 00. stub_and_verifier: DATA_BLOB length=12 [] F6 01 00 00 00 00 00 00 05 00 00 00 �... Got pdu len 36, data_len 12, ss_len 0 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host bar returned 12 bytes. srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo out: struct srvsvc_NetShareGetInfo info : * info : union srvsvc_NetShareInfo(case 502) info502 : NULL result : WERR_ACCESS_DENIED Coult not query secdesc for share foo rpc command function succedded return code = 0 -- bye, pabs http://bonedaddy.net/pabs3/ signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc share allowedusers gives Coult not query secdesc for share?
On Wed, Feb 27, 2013 at 05:27:47PM +0800, Paul Wise wrote: Hi all, [Please CC me in reply, I'm not subscribed] On two of our machines, net rpc share allowedusers gives the error Coult not query secdesc for share, partial debug log (-d10) below. The servers are both running Windows Server 2008 R2 Standard 6.1 but we have other servers running the same version of Windows so I don't think that is the issue. This is definitely not a password issue since changing the password sent gives a very different error. Does anyone know what needs to be changed on the Windows side to allow querying security descriptors remotely? Is this a samba bug? Who are you authenticating as ? Are you doing this as Administrator ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc share allowedusers gives Coult not query secdesc for share?
On Wed, 2013-02-27 at 13:32 -0800, Jeremy Allison wrote: Who are you authenticating as ? It is a specially created user for each server. Are you doing this as Administrator ? I guess from your response that the user needs to be an admin? I'm not sure as I don't have access to the Windows side of things, but it looks like from this list that the answer is no for this server? DOMAIN\user DOMAIN\user DOMAIN\domain users DOMAIN\secgrp_rev_rdp DOMAIN\user_god \Everyone NT Authority\Network NT Authority\Authenticated Users At other sites where this works, the user is in the 'domain admins' group, but at one of them, there is no obvious admin group: DOMAIN\user DOMAIN\user DOMAIN\domain users DOMAIN\iis_wpg DOMAIN\staff DOMAIN\management DOMAIN\wbd remote ts \Everyone NT Authority\Network NT Authority\Authenticated Users PS: if it isn't already fixed, you might want to fix the typos in the diagnostic messages that I posted. -- bye, pabs http://bonedaddy.net/pabs3/ signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Net rpc printer segmentation fault
Hello everyone! I'm trying to use the command net rpc printer migrate drivers to migrate from a Windows print server, but all I got is a segmentation fault error. I'm using samba and samba-common version 3.4.8 under debian lenny 5.0.10. I have had googling already but nothing was found to help. Does it a known bug? Appreciate any kind of help. Thanks so much! Enviado via iPhone -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc testjoin error
please update, in wheezy samba is upgraded to 3.6.1 and test again. Louis -Oorspronkelijk bericht- Van: jh...@math.wisc.edu [mailto:samba-boun...@lists.samba.org] Namens John G. Heim Verzonden: 2011-12-22 20:28 Aan: samba@lists.samba.org Onderwerp: [Samba] net rpc testjoin error I have a PDC running debian wheezy with samba 3.5.11 . If I run 'net rpc testjoin' on my PDC, it does this: # net rpc testjoin get_schannel_session_key: could not fetch trust account password for domain 'UW-MATH' net_rpc_join_ok: failed to get schannel session key from server HUBBLE for domain UW-MATH. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Join to domain 'UW-MATH' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO The backend is openldap and I can find the name of my PDC in the ldap database. It appears to have a valid machine trust account based on the ldap record. The main problem I'm having is that after I joined a Win7 machine to the domain, I can't log in as a domain user. It says The trust relationship between this workstation and the domain failed. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc testjoin error
Not sure if this is related, but I had problems joining or rejoining XP or Win 7 machines to the domain after upgrading to Samba 3.5.x. I have a Samba PDC and Samba BDC with an LDAP backend. The backend unix account would already exist. i would have to delete the samba machine account and then precreate (or preserve) only 2 samba LDAP attributes. Delete the machine account #smbpasswd -x -m machinename The use an LDAP editor (e.g. apache directory studio), remove any remaining samba attributes (if necessary) except sambaPrimaryGroupSID and sambaAccountFlags. If necessary, create sambaPrimaryGroupSID and sambaAccountFlags. type: sambaPrimaryGroupSID value:S-1-5-21-XXX-YYY--515 type: sambaAccountFlags value: [W ] At this point I could rejoin the domain. You can also use smbpasswd -a -m machinename to test this.After joining the machine to the domain, verify the LDAP settings for sambaAccountFlags. Smbpasswd command may have set the sambaAccountFlags to be U (for user) not W (for workstation.) Make sure that Pbdedit and LDAP editors may report the same thing for sambaAccountFlags. On 12/23/2011 03:08 AM, L.P.H. van Belle wrote: please update, in wheezy samba is upgraded to 3.6.1 and test again. Louis -Oorspronkelijk bericht- Van: jh...@math.wisc.edu [mailto:samba-boun...@lists.samba.org] Namens John G. Heim Verzonden: 2011-12-22 20:28 Aan: samba@lists.samba.org Onderwerp: [Samba] net rpc testjoin error I have a PDC running debian wheezy with samba 3.5.11 . If I run 'net rpc testjoin' on my PDC, it does this: # net rpc testjoin get_schannel_session_key: could not fetch trust account password for domain 'UW-MATH' net_rpc_join_ok: failed to get schannel session key from server HUBBLE for domain UW-MATH. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Join to domain 'UW-MATH' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO The backend is openldap and I can find the name of my PDC in the ldap database. It appears to have a valid machine trust account based on the ldap record. The main problem I'm having is that after I joined a Win7 machine to the domain, I can't log in as a domain user. It says The trust relationship between this workstation and the domain failed. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc testjoin error
I have a PDC running debian wheezy with samba 3.5.11 . If I run 'net rpc testjoin' on my PDC, it does this: # net rpc testjoin get_schannel_session_key: could not fetch trust account password for domain 'UW-MATH' net_rpc_join_ok: failed to get schannel session key from server HUBBLE for domain UW-MATH. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Join to domain 'UW-MATH' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO The backend is openldap and I can find the name of my PDC in the ldap database. It appears to have a valid machine trust account based on the ldap record. The main problem I'm having is that after I joined a Win7 machine to the domain, I can't log in as a domain user. It says The trust relationship between this workstation and the domain failed. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc testjoin error
Did you make the required registry changes http://wiki.samba.org/index.php/Windows7 HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 Do you have problems with XP machines? On 12/22/2011 02:28 PM, John G. Heim wrote: I have a PDC running debian wheezy with samba 3.5.11 . If I run 'net rpc testjoin' on my PDC, it does this: # net rpc testjoin get_schannel_session_key: could not fetch trust account password for domain 'UW-MATH' net_rpc_join_ok: failed to get schannel session key from server HUBBLE for domain UW-MATH. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Join to domain 'UW-MATH' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO The backend is openldap and I can find the name of my PDC in the ldap database. It appears to have a valid machine trust account based on the ldap record. The main problem I'm having is that after I joined a Win7 machine to the domain, I can't log in as a domain user. It says The trust relationship between this workstation and the domain failed. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc testjoin error
I ran the Win7_Samba3DomainMember.reg file that comes with the samba-docs package. The contents are below. Does that 'net rpc testjoin' failure mean anything? I was able to join a different Win7 machine to the domain during testing. It seems to have stopped working. But I didn't try that 'net rpc testjoin' test on the PDC until now. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters] DNSNameResolutionRequired=dword: DomainCompatibilityMode=dword:0001 - Original Message - From: Gaiseric Vandal gaiseric.van...@gmail.com To: samba@lists.samba.org Sent: Thursday, December 22, 2011 1:43 PM Subject: Re: [Samba] net rpc testjoin error Did you make the required registry changes http://wiki.samba.org/index.php/Windows7 HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 Do you have problems with XP machines? On 12/22/2011 02:28 PM, John G. Heim wrote: I have a PDC running debian wheezy with samba 3.5.11 . If I run 'net rpc testjoin' on my PDC, it does this: # net rpc testjoin get_schannel_session_key: could not fetch trust account password for domain 'UW-MATH' net_rpc_join_ok: failed to get schannel session key from server HUBBLE for domain UW-MATH. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Join to domain 'UW-MATH' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO The backend is openldap and I can find the name of my PDC in the ldap database. It appears to have a valid machine trust account based on the ldap record. The main problem I'm having is that after I joined a Win7 machine to the domain, I can't log in as a domain user. It says The trust relationship between this workstation and the domain failed. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc testjoin error
Okay, I have determined that the problem is with the BDC. I shutdown samba on the BDC and was able to log into the domain. So perhaps the ldap replication isn't working. Should 'net getlocalsid' on a BDC show a SID that matches the SID on the PDC? I ran 'net rpc getsid' on the BDC and it said it was storing the SID in secrets.tdb. when I ask for the localsid, it gives me a mismatched SID. root@gracie:~# net rpc getsid Storing SID S-1-5-21-1546634795-1778232220-242194531 for Domain UW-MATH in secre ts.tdb root@gracie:~# net getlocalsid From: Gaiseric Vandal gaiseric.van...@gmail.com To: samba@lists.samba.org Sent: Thursday, December 22, 2011 1:43 PM Subject: Re: [Samba] net rpc testjoin error Did you make the required registry changes http://wiki.samba.org/index.php/Windows7 HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 Do you have problems with XP machines? On 12/22/2011 02:28 PM, John G. Heim wrote: I have a PDC running debian wheezy with samba 3.5.11 . If I run 'net rpc testjoin' on my PDC, it does this: # net rpc testjoin get_schannel_session_key: could not fetch trust account password for domain 'UW-MATH' net_rpc_join_ok: failed to get schannel session key from server HUBBLE for domain UW-MATH. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Join to domain 'UW-MATH' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO The backend is openldap and I can find the name of my PDC in the ldap database. It appears to have a valid machine trust account based on the ldap record. The main problem I'm having is that after I joined a Win7 machine to the domain, I can't log in as a domain user. It says The trust relationship between this workstation and the domain failed. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc idmap restore does not work
Hi In the samba HOWTO collection here http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html Creating an IDMAP Database Dump File there is a command net idmap restore /var/lib/samba/winbindd_idmap.tdb idmap_dump.txt the point is: it doesn't work. It just does nothing, except of printing a lot of lines like this: ignoring invalid line [] ignoring invalid line [BB] Looks like the winbindd_idmap.tdb file is not changed after this command has been run. The actual dump was done like this: net idmap dump /var/lib/samba/winbindd_idmap.tdb idmap_dump.txt The system I'm testing it on is Debian 6.1, samba 3.5.6. Regards P. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Net rpc strange results
On Thu, Apr 28, 2011 at 08:37:38PM +0200, Alejandro Escanero Blanco wrote: I have a ldap based domain and different machines with different version of samba triing to get the user list from the PDC. The Server is samba 3.5.6 With version 3.4.7 I do: net rpc user -S myserver and get 1024 users same as wbinfo -u Whi version 3.0 I do net rpc user -S myserver and get 2875 users same as wbinfo -u Any clue? Can you please send network traces of both commands? Information on how to create useful network traces can be found under https://wiki.samba.org/index.php/Capture_Packets With best regards, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Net rpc strange results
I have a ldap based domain and different machines with different version of samba triing to get the user list from the PDC. The Server is samba 3.5.6 With version 3.4.7 I do: net rpc user -S myserver and get 1024 users same as wbinfo -u Whi version 3.0 I do net rpc user -S myserver and get 2875 users same as wbinfo -u Any clue? -- - Alejandro Escanero Blanco Servicio de Informática Sistemas - GISI Tel: 671 569 262 (769262) Edificio Empresarial Aljarafe, mod. 36 41940 Tomares (Sevilla) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc file checks in 3.5.x
This is in-reply to older question of mine:
http://www.mail-archive.com/samba@lists.samba.org/msg109014.html
On 10-06-30 18:48, Michal Soltys wrote:
When doing simple:
net rpc file -Untadmin
With ntadmin being a user belonging to properly groupmapped domain admins,
(with rid 512), including cases with ntadmin being rid=500 itself,
I always get:
[2010/06/30 15:06:46.272578, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [ntadmin] - [ntadmin] -
[ntadmin] succeeded
[2010/06/30 15:06:46.276232, 1]
rpc_server/srv_srvsvc_nt.c:1039(_srvsvc_NetFileEnum)
Enumerating files only allowed for administrators
I've peeked into srv_srvsvc_nt.c and the main difference from earlier
samba versions (in the function mentioned in logs) is the addition
of the following check:
if (!nt_token_check_sid(global_sid_Builtin_Administrators,
p-server_info-ptok)) {
DEBUG(1, (Enumerating files only allowed for
administrators\n));
return WERR_ACCESS_DENIED;
}
Judging from variables' names it checks if a user belongs to builtin group.
Assuming
this kind of check is intended in this place - how to actually make
[functionally
working] builtin group ? groupmap allows mapping to local and builtins groups,
and
I've also tested some net rpc group variations - but so far to no actual effect.
Actually, I mistyped sid - groupmap can handle buitlin groups just fine.
Overall it turned out, that the culprit (in my case) was a brief run of
winbindd in the past. Basically once BUILTIN domain showed up in
gencache.tdb, I had to do net groupmap and add the user used with the
net tool (admin) to builtin administrators group (regardless if winbindd
was or wasn't running after that). Alternative option was to simply stop
samba / remove gencache.tdb / start again.
Earlier samba versions didn't perform this kind of check, so it never
was an issue.
Should it be assumed these days, that groupmapping of builtin groups is
no longer optional (or at least it is advised to have it in place) ?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc SeDiskOperatorPrivilege failing for domain user
Dear experts, I am having following problem on samba server side . please help me . 1) our device is running with samba server , in order to allow Microsoft windows mmc to change samba share permissions I am giving SeDiskOperatorPrivilege ( net rpc rights grant admin SeDiskOperatorPrivilege) privilege to samba users. This is working fine as long as our device is in standalone work group mode. 2) it is giving the below problem when we move the device to some domain. I am logging into device with domain administrator account I know its password. r...@storage-2:/usr/local/samba/bin# ./net -U administrator -W emcsoho.local rpc rights grant administrator SeDiskOperatorPrivilege Enter administrator's password: Successfully granted rights. for another domain user users1 it is failing with error NT_STATUS_ACCESS_DENIED. r...@storage-2:/usr/local/samba/bin# ./net -U administrator -W emcsoho.local rpc rights grant users1 SeDiskOperatorPrivilege Enter administrator's password: \Failed to grant privileges for users1 (NT_STATUS_ACCESS_DENIED) --- The above command Is working fine when I use the net command with users1 account - r...@storage-2:/usr/local/samba/bin# ./net -U users1 -W emcsoho.local rpc rights grant users1 SeDiskOperatorPrivilege Enter users1's password: Successfully granted rights. --- The problem is my device does not know the domain users passwords. how to handle this situation?. How to give SeDiskOperatorPrivilege priviliege for the domain users from the device with domain administrator account. Thanks Suresh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc SeDiskOperatorPrivilege failing for domain user
On Thu, 2010-09-23 at 09:26 -0400, suresh.kanduk...@emc.com wrote: Dear experts, I am having following problem on samba server side . please help me . 1) our device is running with samba server , in order to allow Microsoft windows mmc to change samba share permissions I am giving SeDiskOperatorPrivilege ( net rpc rights grant admin SeDiskOperatorPrivilege) privilege to samba users. This is working fine as long as our device is in standalone work group mode. --- The problem is my device does not know the domain users passwords. how to handle this situation?. How to give SeDiskOperatorPrivilege priviliege for the domain users from the device with domain administrator account. You need to grant the rights to the builtin administrators group. If everything is set up properly (and this may depend a little on what version you Samba you are running, and if you use winbind etc), when the domain admins log in to Samba, it will see that they are in the domain administrators group and add it to the builtin administrators group. You don't need to do this with 'net rpc' if you have access to the local box - just use 'net sam rights'. I hope this helps, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc file checks in 3.5.x
When doing simple:
net rpc file -Untadmin
With ntadmin being a user belonging to properly groupmapped domain admins,
(with rid 512), including cases with ntadmin being rid=500 itself,
I always get:
[2010/06/30 15:06:46.272578, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [ntadmin] - [ntadmin] -
[ntadmin] succeeded
[2010/06/30 15:06:46.276232, 1]
rpc_server/srv_srvsvc_nt.c:1039(_srvsvc_NetFileEnum)
Enumerating files only allowed for administrators
I've peeked into srv_srvsvc_nt.c and the main difference from earlier
samba versions (in the function mentioned in logs) is the addition
of the following check:
if (!nt_token_check_sid(global_sid_Builtin_Administrators,
p-server_info-ptok)) {
DEBUG(1, (Enumerating files only allowed for
administrators\n));
return WERR_ACCESS_DENIED;
}
Judging from variables' names it checks if a user belongs to builtin group.
Assuming
this kind of check is intended in this place - how to actually make
[functionally
working] builtin group ? groupmap allows mapping to local and builtins groups,
and
I've also tested some net rpc group variations - but so far to no actual
effect.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc rights grant root SeDiskOperatorPrivilege failed with Failed to grant privileges for root (NT_STATUS_ACCESS_DENIED)
Hi, I have a samba server setup as a domain member. I am trying to grant SeDiskOperatorPrivilege to some user accounts e.g. domainaname\User, but I always get the above error. It doesnot matter what I specify as the server in -S option to the command. The command syntax I use is: net rpc rights grant username SeDiskOperatorPrivilege OR net -S ADserver -U support rpc rights grant 'domain\Administrator' SeDiskOperatorPrivilege I am trying to grant the above privilege because managing samba shares through mmc from remote windows system is failing with: _srvsvc_NetShareSetInfo: uid 10500 doesn't have the SeDiskOperatorPrivilege privilege needed to modify share myshare Uid 10500 is 'domain\Administrator' account I can send the relevant smb.conf and any additional traces I need to capture. Can anyone provide ideas on what could be going wrong? The above feature(s) is supposed to be supported by samba 3.5.1 which I am using. Thanks for the help. -s -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights grant root SeDiskOperatorPrivilege failed with Failed to grant privileges for root (NT_STATUS_ACCESS_DENIED)
You need to tell net with which user you run the command: net rpc rights grant USERNAME SeDiskOperatorPrivilege -Uroot HTH, Norberto El 13/05/2010 9:53, Nagaraj Shyam nagaraj_sh...@symantec.com escribió: Hi, I have a samba server setup as a domain member. I am trying to grant SeDiskOperatorPrivilege to some user accounts e.g. domainaname\User, but I always get the above error. It doesnot matter what I specify as the server in -S option to the command. The command syntax I use is: net rpc rights grant username SeDiskOperatorPrivilege OR net -S ADserver -U support rpc rights grant 'domain\Administrator' SeDiskOperatorPrivilege I am trying to grant the above privilege because managing samba shares through mmc from remote windows system is failing with: _srvsvc_NetShareSetInfo: uid 10500 doesn't have the SeDiskOperatorPrivilege privilege needed to modify share myshare Uid 10500 is 'domain\Administrator' account I can send the relevant smb.conf and any additional traces I need to capture. Can anyone provide ideas on what could be going wrong? The above feature(s) is supposed to be supported by samba 3.5.1 which I am using. Thanks for the help. -s -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights grant root SeDiskOperatorPrivilege failed with Failed to grant privileges for root (NT_STATUS_ACCESS_DENIED)
Hi zoolook. Thanks for the reply. In my case I had got the command to work when the samba server was standalone. I just figured out that I need to provide the domain admin password to change privileges if samba server has joined a domain ... -s From: zoolook [mailto:nbe...@gmail.com] Sent: Thursday, May 13, 2010 6:02 AM To: Nagaraj Shyam Cc: samba@lists.samba.org Subject: Re: [Samba] net rpc rights grant root SeDiskOperatorPrivilege failed with Failed to grant privileges for root (NT_STATUS_ACCESS_DENIED) You need to tell net with which user you run the command: net rpc rights grant USERNAME SeDiskOperatorPrivilege -Uroot HTH, Norberto El 13/05/2010 9:53, Nagaraj Shyam nagaraj_sh...@symantec.com escribió: Hi, I have a samba server setup as a domain member. I am trying to grant SeDiskOperatorPrivilege to some user accounts e.g. domainaname\User, but I always get the above error. It doesnot matter what I specify as the server in -S option to the command. The command syntax I use is: net rpc rights grant username SeDiskOperatorPrivilege OR net -S ADserver -U support rpc rights grant 'domain\Administrator' SeDiskOperatorPrivilege I am trying to grant the above privilege because managing samba shares through mmc from remote windows system is failing with: _srvsvc_NetShareSetInfo: uid 10500 doesn't have the SeDiskOperatorPrivilege privilege needed to modify share myshare Uid 10500 is 'domain\Administrator' account I can send the relevant smb.conf and any additional traces I need to capture. Can anyone provide ideas on what could be going wrong? The above feature(s) is supposed to be supported by samba 3.5.1 which I am using. Thanks for the help. -s -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc printer list - returns error
En/na Chris Smith ha escrit: Using: net rpc printer list returns: listing printers cannot enum printers: WERR_NOMEM samba-3.5.2 Also happens here with 3.4.7. And net rpc printer driver gives a segmentation fault. Bye -- Luca Olivetti Wetron Automatización S.A. http://www.wetron.es/ Tel. +34 93 5883004 (Ext.133) Fax +34 93 5883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc printer list - returns error
Using: net rpc printer list returns: listing printers cannot enum printers: WERR_NOMEM samba-3.5.2 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc join failed ?
1. what kind of domain controller you are trying to join ?? 2.. does the machine that you are trying to join has valid A and PTR records in the dns 3. before trying to join the domain did you try the following kinit [principal] and checked if the ticket is created by the principal name or not using klist 4. kindly send krb configuration + samba configuration reagrds On Thu, Feb 11, 2010 at 7:13 AM, Annada Prasana Prusty annadapras...@gmail.com wrote: Hi, i have further investigated. i got this error message get_trust_pw_clear: could not fetch clear text trust account password for domain my_domain. It is looking for machine password inside secrets.tdb with key = SECRETS/MACHINE_PASSWORD/MY_DOMAIN, but there is no record at the same offset. But tdbdump shows the record inside tdb file, even in hexdump also shows the record in different offset. So i am not able to trace it, where is the problem. I have tried with old samba versions also, but the same result. Please help. Thanks Annada === On Fri, Feb 5, 2010 at 7:48 PM, Annada Prasana Prusty annadapras...@gmail.com wrote: Hi, I am using samba-3.4.5. I am trying for join to domain controller, with security=domain in smb.conf. But it fails with following debug messages. * rpccli_netlogon_set_trust_password: unable to setup creds (NT_STATUS_ACCESS_DENIED) ! rpc command function failed ! (NT_STATUS_ACCESS_DENIED) .. get_schannel_session_key: could not fetch trust account password for domain 'MYDOMAIN' net_rpc_join_ok: failed to get schannel session key for server MYSERVER for domain MYDOMAIN. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO. unable to join domain MYDOMAIN return code = -1.* Can you please help , where is the problem. Thanks Annada -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc join failed ?
Hi, i have further investigated. i got this error message get_trust_pw_clear: could not fetch clear text trust account password for domain my_domain. It is looking for machine password inside secrets.tdb with key = SECRETS/MACHINE_PASSWORD/MY_DOMAIN, but there is no record at the same offset. But tdbdump shows the record inside tdb file, even in hexdump also shows the record in different offset. So i am not able to trace it, where is the problem. I have tried with old samba versions also, but the same result. Please help. Thanks Annada === On Fri, Feb 5, 2010 at 7:48 PM, Annada Prasana Prusty annadapras...@gmail.com wrote: Hi, I am using samba-3.4.5. I am trying for join to domain controller, with security=domain in smb.conf. But it fails with following debug messages. * rpccli_netlogon_set_trust_password: unable to setup creds (NT_STATUS_ACCESS_DENIED) ! rpc command function failed ! (NT_STATUS_ACCESS_DENIED) .. get_schannel_session_key: could not fetch trust account password for domain 'MYDOMAIN' net_rpc_join_ok: failed to get schannel session key for server MYSERVER for domain MYDOMAIN. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO. unable to join domain MYDOMAIN return code = -1.* Can you please help , where is the problem. Thanks Annada -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc join failed ?
Hi, I am using samba-3.4.5. I am trying for join to domain controller, with security=domain in smb.conf. But it fails with following debug messages. * rpccli_netlogon_set_trust_password: unable to setup creds (NT_STATUS_ACCESS_DENIED) ! rpc command function failed ! (NT_STATUS_ACCESS_DENIED) .. get_schannel_session_key: could not fetch trust account password for domain 'MYDOMAIN' net_rpc_join_ok: failed to get schannel session key for server MYSERVER for domain MYDOMAIN. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO. unable to join domain MYDOMAIN return code = -1.* Can you please help , where is the problem. Thanks Annada -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba: net rpc join unable to setup creds
Hi experts, I am getting the error when trying to join samba server into domain. net rpc join -U user%password returns with rpccli_netlogon_set_trust_password: - unable to setup creds NT_STATUS_ACCESS_DENIED ! rpc command failed ! NT_STATUS_ACCESS_DENIED. what is the error in smb.conf. i am running samba-3.4.5 Thanks AP -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc user add produces duplicate SID
Sebastian Scholz gsscholz at gmail.com writes: I moved the domain SID and the local SID to the new pdc and filled the ldap directory with all users and machines from the old machine. I can access the smb via smbclient, id user works and getent passwd, etc. BUT when I try to add a new user with # net rpc user add newusername the user gets a SID which is already used by a machine account. The command responds with Faild to add user 'newusername' with: No such user. # pdbedit -L reports this user and this machine account with ldapsam_getsampwsid: More than one user with SID [S-1-5-21]. Failing. count=2. Deleting the user with # net rpc user delete newusername works. Hi List the same actually happens when I add a new machine to the domain with net dom join Can I change the SID/RID somehow after adding a new account or is there a way to tell net to start from a different RID? Thanks Sebastian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc user add produces duplicate SID
Sebastian Scholz gsscholz at gmail.com writes: Sebastian Scholz gsscholz at gmail.com writes: I moved the domain SID and the local SID to the new pdc and filled the ldap directory with all users and machines from the old machine. I can access the smb via smbclient, id user works and getent passwd, etc. BUT when I try to add a new user with # net rpc user add newusername the user gets a SID which is already used by a machine account. The command responds with Faild to add user 'newusername' with: No such user. # pdbedit -L reports this user and this machine account with ldapsam_getsampwsid: More than one user with SID [S-1-5-21]. Failing. count=2. Deleting the user with # net rpc user delete newusername works. Hi List the same actually happens when I add a new machine to the domain with net dom join Can I change the SID/RID somehow after adding a new account or is there a way to tell net to start from a different RID? Thanks Sebastian Me again, I hot fixed the problem for me by adding and deleting a dummy user a couple of times: # for i in `seq 0 50 ` ; do # net rpc user add username -U root%geheim # net rpc user delete username -U root%geheim # done but I still guess this is a bug in the net command. Regards Sebastian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc user add produces duplicate SID
Hi list, The task is to move an old samba installation (ubuntu with samba 3.0 brachch) to a new debian installation with samba 3.3.9. Both setups work as pdcs and have an ldap backend which I try to move from one setup to the next. In this new setup I tried to ldapsam:editposix = yes. Therefore I also installed winbind. I moved the domain SID and the local SID to the new pdc and filled the ldap directory with all users and machines from the old machine. I can access the smb via smbclient, id user works and getent passwd, etc. BUT when I try to add a new user with # net rpc user add newusername the user gets a SID which is already used by a machine account. The command responds with Faild to add user 'newusername' with: No such user. # pdbedit -L reports this user and this machine account with ldapsam_getsampwsid: More than one user with SID [S-1-5-21]. Failing. count=2. Deleting the user via # net rpc user delete newusername works. I know how to increase the used uid but I don't know to let winbind use the next free RID. Extracts from my smb.conf: passdb backend = ldapsam ldap suffix is set ldap admin dn is set ldap user/group/machine/idmap suffix are set ldapsam:trusted = yes ldapsam:editposix = yes idmap uid = 1 - 2 idmap gid = 1 - 2 Hope anyone can help and merry christmas to the list Sebastian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc rights stop working at 3.4.3
Hello Since I upgraded from 3.3.9 to 3.4.3 the net rpc rights command stops working properly pdc:/usr/local/samba/etc/samba# net rpc rights list Enter root's password:xxx Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_CONNECTION_REFUSED the smb.conf file is exactly the same one Some new features in 3.4.3 to add in smb.conf ? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights stop working at 3.4.3
On Thu, Nov 26, 2009 at 02:28:25PM +0100, Frank Bonnet wrote: Hello Since I upgraded from 3.3.9 to 3.4.3 the net rpc rights command stops working properly pdc:/usr/local/samba/etc/samba# net rpc rights list Enter root's password:xxx Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_CONNECTION_REFUSED the smb.conf file is exactly the same one Some new features in 3.4.3 to add in smb.conf ? smbd needs to run. Alternatively, try net sam rights. Volker pgpHiawyKxNdF.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc shutdown fails on Windows 7 Pro
Hi, On 30.10.2009 16:53, André Weidemann wrote: Can anyone point me into the right direction? Am I the only one who ran into this problem? Isn't there anyone who knows how to make it work? Regards. André -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc shutdown fails on Windows 7 Pro
Hi, I am running Samba 3.4.0 under Ubuntu 9.10 and would like to shutdown a Windows 7 Pro machine using: net RPC SHUTDOWN -t 60 -f -I ip-address -U username -d1. Invoking this command, unfortunately results in the following error: cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_ACCESS_DENIED received from host ip-address! Shutdown of remote machine failed! rpc command function failed! (NT code 0x0005) initshutdown pipe failed, trying winreg pipe Could not initialise pipe \winreg. Error was NT_STATUS_OBJECT_NAME_NOT_FOUND My guess would be that a Windows Group-Policy is preventing the command from accessing the machine, but I don't know which one. Can anyone point me into the right direction? Regards. André -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc share migrate files
Hi! when i try to migrate files from nt4 share to smb share ... net rpc share migrate files SHARE_DATA -I 172.10.10.1 -S NT4 \ --acls --timestamps -v works, but net rpc share migrate files SHARE_DATA -I 172.10.10.1 -S NT4 \ --acls --attrs --timestamps -v syncing[SHARE_DATA] files and directories including ACLs, including DOS Attributes (preserving timestamps) failed to set file-attrs: NT_STATUS_ACCESS_DENIED Could handle directory attributes for top level directory of share SHARE_DATA. Error NT_STATUS_ACCESS_DENIED Could not handle the top level directory permissions for the share: SHARE_DATA any ideas ? thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights grant: NT_STATUS_ACCESS_DENIED
Hey Ryan, The samba host is a domain member server (security=ADS) with winbind for user accounts. Where is this user rights database stored and what is the tool to assign admin privileges? Use 'net sam' to add the user in question to the BUILTIN\Administrators group on your Samba host. The user rights assignments are stored in account_pol.tdb IIRC (but that may have changed). It's been several years since I look at that code and I remember Michael Adam making some interface changes. But I think the storage location on smbpasswd and tdbsam installations is the same. # /usr/local/samba/bin/wbinfo -i testpc1 testpc1:*:10726:10005:testpc1 papercut test:/home/REALM/testpc1:/usr/bin/tcsh # groups testpc1 testpc1 : root # /usr/local/samba/bin/net rpc rights grant testpc1 SePrintOperatorPrivilege -U testpc1 Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED) cheers, jerry -- = http://www.plainjoe.org/ What man is a man who does not make the world better? --Balian signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights grant: NT_STATUS_ACCESS_DENIED
Gerald Carter wrote: Hey Ryan, The samba host is a domain member server (security=ADS) with winbind for user accounts. Where is this user rights database stored and what is the tool to assign admin privileges? Use 'net sam' to add the user in question to the BUILTIN\Administrators group on your Samba host. The user rights assignments are stored in account_pol.tdb IIRC (but that may have changed). It's been several years since I look at that code and I remember Michael Adam making some interface changes. But I think the storage location on smbpasswd and tdbsam installations is the same. Thanks, it worked for me! Looks like the local BUILTIN\Administrators has all those rpc rights granted by default. much appreciated, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights grant: NT_STATUS_ACCESS_DENIED
Ryan Suarez wrote: Thanks, it worked for me! Looks like the local BUILTIN\Administrators has all those rpc rights granted by default. Correct. Glad things are working now. cheers, jerry signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights grant: NT_STATUS_ACCESS_DENIED
Adam Nielsen wrote: Use 'net sam' to add the user in question to the BUILTIN\Administrators group on your Samba host. # /usr/local/samba/bin/net rpc rights grant testpc1 SePrintOperatorPrivilege -U testpc1 Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED) Oh, so does 'net rpc' in this case connect to the local machine? i.e. it has nothing to do with Active Directory? I was under the impression that it modified the permissions on the Active Directory object, not what the local Samba instance would allow or deny - my apologies! Well, I wasn't actually able to run the net rpc rights grant. I was still getting the access denied errors. Instead, I just added testpc1 as a member of the local Builtin/Administrators group which has all the rpc rights by default. So it's still a valid question. Does net rpc rights grant for the user edit the Active Directory object? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights grant: NT_STATUS_ACCESS_DENIED
Use 'net sam' to add the user in question to the BUILTIN\Administrators group on your Samba host. # /usr/local/samba/bin/net rpc rights grant testpc1 SePrintOperatorPrivilege -U testpc1 Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED) Oh, so does 'net rpc' in this case connect to the local machine? i.e. it has nothing to do with Active Directory? I was under the impression that it modified the permissions on the Active Directory object, not what the local Samba instance would allow or deny - my apologies! Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights grant: NT_STATUS_ACCESS_DENIED
Hey Adam, Use 'net sam' to add the user in question to the BUILTIN\Administrators group on your Samba host. # /usr/local/samba/bin/net rpc rights grant testpc1 SePrintOperatorPrivilege -U testpc1 Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED) Oh, so does 'net rpc' in this case connect to the local machine? i.e. it has nothing to do with Active Directory? Correct. It connect over RPC to the Samba host. I think there is a 'net sam rights' which will do the same operation without using RPC. I.e. just operate on the account policy db. cheers, jerry -- = http://www.plainjoe.org/ What man is a man who does not make the world better? --Balian signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights grant: NT_STATUS_ACCESS_DENIED
Well, I wasn't actually able to run the net rpc rights grant. I was still getting the access denied errors. Instead, I just added testpc1 as a member of the local Builtin/Administrators group which has all the rpc rights by default. Well now testpc1 is an admin you should be able to run the command again and it should work. Since you're not actually using Active Directory you could presumably also use -U machine_name/root or whatever the name is of the local Samba root/admin account, instead of the testpc1 user. So it's still a valid question. Does net rpc rights grant for the user edit the Active Directory object? I think the permission you're trying to access is set at the local machine level - think of it like a firewall. When the request comes through Samba decides whether to allow or deny it based on the privilege you're trying to set. So it will apply whether or not you're using Active Directory. That's my understanding of it anyway! Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights grant: NT_STATUS_ACCESS_DENIED
Thanks for the response. Adam Nielsen wrote: RE: net rpc rights grant testpc1 SePrintOperatorPrivilege -U testpc1 Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED) samba_source_3.3.7 on redhat 5 64bit. I have root on the samba server but I don't have admin access to active directory (hence the auth using testpc1). So you have full access to Samba, but - I'm guessing - read only access to AD? Where in the Active Directory user object are these permissions? Specifically, I'm looking for SePrintOperatorPrivilege. thanks, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights grant: NT_STATUS_ACCESS_DENIED
Does the user granting access need some sort of admin privilege in Active Directory? How do I grant this privilege on this samba host (for which I have root) since I don't have admin access in Active Directory? Yes, if you want to change an object in Active Directory you will need access to do so. Unless your Samba host *is* the AD server, nothing gets granted on the PC itself, all the permissions are maintained within AD. hmm, the best option for me is to ask the AD administrator to grant the samba SePrintOperatorPrivilege directly to the user object in Active Directory. Where is this added in AD and what is this privilege called? thanks, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights grant: NT_STATUS_ACCESS_DENIED
Ryan, hmm, the best option for me is to ask the AD administrator to grant the samba SePrintOperatorPrivilege directly to the user object in Active Directory. Where is this added in AD and what is this privilege called? The user rights database is maintained in Samba's passdb. If you are getting ACCESS_DENIED from smbd when you run 'net rpc rights grant', it is because the account you are connecting as does not have admin privileges as the Samba box. cheers, jerry signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights grant: NT_STATUS_ACCESS_DENIED
The samba host is a domain member server (security=ADS) with winbind for user accounts. Where is this user rights database stored and what is the tool to assign admin privileges? I'm sure the privilege is stored in AD, which means you will need an AD account with write access to the testpc1 object. # /usr/local/samba/bin/net rpc rights grant testpc1 SePrintOperatorPrivilege -U testpc1 Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED) This means you're connecting as the user testpc1 which doesn't have access. Machine accounts normally don't have much access at all. You'll need to use an account that has been delegated admin access to testpc1 instead. Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights grant: NT_STATUS_ACCESS_DENIED
Thanks for the response. Gerald Carter wrote: Ryan, hmm, the best option for me is to ask the AD administrator to grant the samba SePrintOperatorPrivilege directly to the user object in Active Directory. Where is this added in AD and what is this privilege called? The user rights database is maintained in Samba's passdb. If you are getting ACCESS_DENIED from smbd when you run 'net rpc rights grant', it is because the account you are connecting as does not have admin privileges as the Samba box. The samba host is a domain member server (security=ADS) with winbind for user accounts. Where is this user rights database stored and what is the tool to assign admin privileges? # /usr/local/samba/bin/wbinfo -i testpc1 testpc1:*:10726:10005:testpc1 papercut test:/home/REALM/testpc1:/usr/bin/tcsh # groups testpc1 testpc1 : root # /usr/local/samba/bin/net rpc rights grant testpc1 SePrintOperatorPrivilege -U testpc1 Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED) smb.conf: http://pastebin.ca/1554626 -Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights grant: NT_STATUS_ACCESS_DENIED
RE: net rpc rights grant testpc1 SePrintOperatorPrivilege -U testpc1 Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED) samba_source_3.3.7 on redhat 5 64bit. I have root on the samba server but I don't have admin access to active directory (hence the auth using testpc1). So you have full access to Samba, but - I'm guessing - read only access to AD? Does the user granting access need some sort of admin privilege in Active Directory? How do I grant this privilege on this samba host (for which I have root) since I don't have admin access in Active Directory? Yes, if you want to change an object in Active Directory you will need access to do so. Unless your Samba host *is* the AD server, nothing gets granted on the PC itself, all the permissions are maintained within AD. You could either get the testpc1 account more access, or ask whoever maintains your AD installation for delegated access so you can grant and revoke permissions from objects you maintain (using -U your_username instead.) Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc rights grant: NT_STATUS_ACCESS_DENIED
RE: net rpc rights grant testpc1 SePrintOperatorPrivilege -U testpc1 Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED) samba_source_3.3.7 on redhat 5 64bit. I have root on the samba server but I don't have admin access to active directory (hence the auth using testpc1). Does the user granting access need some sort of admin privilege in Active Directory? How do I grant this privilege on this samba host (for which I have root) since I don't have admin access in Active Directory? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net rpc rights grant: NT_STATUS_ACCESS_DENIED
my smb.conf: http://pastebin.ca/1554626 Ryan Suarez wrote: RE: net rpc rights grant testpc1 SePrintOperatorPrivilege -U testpc1 Failed to grant privileges for testpc1 (NT_STATUS_ACCESS_DENIED) samba_source_3.3.7 on redhat 5 64bit. I have root on the samba server but I don't have admin access to active directory (hence the auth using testpc1). Does the user granting access need some sort of admin privilege in Active Directory? How do I grant this privilege on this samba host (for which I have root) since I don't have admin access in Active Directory? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc group addmem gives NT_STATUS_ACCESS_DENIED
On Fri, Aug 28, 2009 at 1:41 PM, Avinash Rao avinash@gmail.com wrote: On Fri, Aug 28, 2009 at 2:36 AM, Alex Crowac...@integrafin.co.uk wrote: Alex, I have been trying to use root preexec to add domain users to Power users group on the local workstation, it never works.. http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#autopoweruserscript Have you used this?? thanks Avinash We do this by setting up a scheduled task (as SYSTEM) which will run a batch file from a netlogon share on one of the dc's. The batch file does all of the stuff using windows commands. We have something in the logon script that if you are a local admin, it will set up that scheduled task, thus, when we set up a new PC, we log it on as root once, and the scheduled task will forevermore do what we want it to do as the SYSTEM user on each local box. If you need more details I can give you example logon.bat and what we call root.bat files. Cheers Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. Transact is operated by Integrated Financial Arrangements plc Domain House, 5-7 Singer Street, London EC2A 4BQ Tel: (020) 7608 4900 Fax: (020) 7608 1200 (Registered office: as above; Registered in England and Wales under number: 3727592) Authorised and regulated by the Financial Services Authority (entered on the FSA Register; number: 190856) Alex, Thank you for your reply. I don't mind giving your logon.bat files. I tried to execute this manually and here's what is happening... #net rpc group addmem Administrators Domain Users \ -S WINPCO32 Password: Usage: 'net rpc group addmem group member r...@sunbox:~# net rpc group addmem Power Users domain_name\username Password: Could not add domain_name\username to Power Users: NT_STATUS_NO_SUCH_ALIAS I replaced the domain_name with the name of the domain and username with the appropriate user account. what does this error mean? Thanks Avinash I noticed another error if i tried to add a new user temp to the Domain Users group. r...@sunbox:~# net rpc group addmem Domain Users temp Password: Could not add temp to Domain Users: NT_STATUS_ACCESS_DENIED -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc user info shows different output depending on -U switch
Hi, I'm debugging a problem with an user account which should have domain admin privileges. I've found out that net rpc user info shows different output depending on the -U switch: (Running as root) subzero:~# net rpc user info admin Benutzer strass subzero:~# net rpc user info admin -U s7admin Benutzer Domänen-Admins s7admin is a working domain admin. Benutzer is german for User and Domänen-Admins for Domain Admins. BTW: strass is a user a not a group! Any help greatly appreciated. It's a samba 3.0.24-6etch10 running on Debian etchandahalf with tdbsam backend. greets Jimmy -- Andreas Jimmy Gredler ,'`. http://www.jimmy.co.at/ | ji...@g-tec.co.at ( grml.org -» Linux Live-CD for texttool-users and sysadmins `._, http://www.grml.org/| ji...@grml.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net rpc info failure accessing XP: NT_STATUS_LOGON_FAILURE
I'm trying to remotely shut down a Windows XP machine on my local network using net rpc shutdown. I'm coming across errors, so I decided to back down to the simpler net rpc info, thinking that there will be fewer security settings related to seeing things than actually shutting down the system. Here's the info for the two boxes in question: -- Linux box (Ubuntu 7.10): [EMAIL PROTECTED]:~$ uname -a Linux ireland 2.6.22-15-386 #1 Wed Aug 20 18:11:25 UTC 2008 i686 GNU/Linux [EMAIL PROTECTED]:~$ net --version Version 3.0.26a [EMAIL PROTECTED]:~$ net rpc info -I localhost -U samba%sambapass Domain Name: BRIANS Domain SID: S-1-5-21-3781685452-1013998031-819676632 Sequence number: 1221940999 Num users: 29 Num domain groups: 0 Num local groups: 0 Windows box: Windows XP Professional, Service Pack 3 Full computer name: phoebus. Workgroup: WORKGROUP Shared folder: C:\share Windows firewall: DISABLED IP: 192.168.9.155 C:\share settings: - Advanced/not simple file sharing - Share name: share - User limit: 10 - Permissions: - Everyone: Read - Lep (PHOEBUS\Lep): Full Control, Change, Read - Here are the results of various commands when my XP box has 'Local Security Settings-Local Policies-Security Options-Network access: Sharing and security model for local accounts' set to 'Classic' (please note that temppass IS the current password for the Lep user): [EMAIL PROTECTED]:~$ net rpc info -I phoebus Password: (** NONE GIVEN, JUST HIT ENTER **) Could not connect to server 192.168.9.155 Connection failed: NT_STATUS_LOGON_TYPE_NOT_GRANTED [EMAIL PROTECTED]:~$ net rpc info -I phoebus Password: notapassword Could not connect to server 192.168.9.155 Connection failed: NT_STATUS_LOGON_TYPE_NOT_GRANTED Connection failed: NT_STATUS_LOGON_FAILURE [EMAIL PROTECTED]:~$ net rpc info -I phoebus -U NotAUser%notapassword Could not connect to server 192.168.9.155 Connection failed: NT_STATUS_LOGON_TYPE_NOT_GRANTED [EMAIL PROTECTED]:~$ net rpc info -I phoebus -U Lep Password: temppass Could not connect to server 192.168.9.155 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE [EMAIL PROTECTED]:~$ net rpc info -I phoebus -U Lep%temppass Could not connect to server 192.168.9.155 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE [EMAIL PROTECTED]:~$ net rpc info -S phoebus -U Lep%temppass Could not connect to server phoebus The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE [EMAIL PROTECTED]:~$ net rpc info -I phoebus -U //PHOEBUS/Lep%temppass Could not connect to server 192.168.9.155 Connection failed: NT_STATUS_LOGON_TYPE_NOT_GRANTED [EMAIL PROTECTED]:~$ net rpc info -I phoebus -U PHOEBUS/Lep%temppass Could not connect to server 192.168.9.155 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE [EMAIL PROTECTED]:~$ net rpc info -I phoebus -W WORKGROUP -U Lep%temppass Could not connect to server 192.168.9.155 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE --- Here are the results when I have 'Local Security Settings-Local Policies-Security Options-Network access: Sharing and security model for local accounts' set to 'Guest only': [EMAIL PROTECTED]:~$ net rpc info -I phoebus Password: (** NO PASSWORD, JUST HIT ENTER **) Could not connect to server 192.168.9.155 Connection failed: NT_STATUS_LOGON_TYPE_NOT_GRANTED [EMAIL PROTECTED]:~$ net rpc info -I phoebus -U Lep%temppass Could not connect to server 192.168.9.155 Connection failed: NT_STATUS_LOGON_TYPE_NOT_GRANTED The NT_STATUS_LOGON_TYPE_NOT_GRANTED repeats for any command I try that actually connects to the server. Adding share to 'Security Options-Network access: Shares than can be accessed anonymously' has no noticeable affect. The security setting 'Network access: Let Everyone permissions apply to anonymous users' is already enabled. Does anyone have any ideas? I'm a bit stumped as to why a perfectly valid user can't log in. Thanks much, Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc vampire x Windows 2003 Server
Hi! Sometime ago I successfully used net rpc vampire against a NT4 domain. Back then I was using ldapsam. Is it possible to do this against a w2k3 domain using tdbsam? Can you point me some documentation? Thanks in advance! -- Fabiano Caixeta Duarte -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc vampire in release 3.2.x
did someone already try vampire with the 3.2.x-release? since i upgraded from 3.0.x i get problems with the creation of machine accounts. when i start sucking a pdc in my ldapserver the following errors come up with every machineaccount on the pdc: 1.) Creating account: SP1$ /usr/sbin/smbldap-usermod: user SP1_ doesn't exist [2008/08/27 14:09:45, 0] groupdb/mapping.c:smb_set_primary_group(312) smb_set_primary_group: Running the command `/usr/sbin/smbldap-usermod -g 'Domain Users' 'SP1_'' gave 1 2.) User SP1_ does not exist: create it first ! what instantly strikes is that there is an _ instead of the $ in the pcname which cannot work. I guess the second error comes up when the script tries to set the correct password!? Afterwards nevertheless there are machineaccount-passwords in the ldap-database but they seem wrong because machineconnects fail. everything else is flawlessly imported (users, groups, groupmemberships). i didn't change anything in the configuration which worked perfectly with vampire in 3.0.x ExampleLDAPentry of the above mentioned machine after import: - dn: uid=SP1$,ou=Computers,dc=test,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaSamAccount cn: SP1$ uid: SP1$ uidNumber: 1071 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer structuralObjectClass: account entryUUID: be6e3366-087c-102d-9d48-4b401f1e60f4 creatorsName: cn=manager,dc=test,dc=com createTimestamp: 20080827120929Z sambaSID: S-1-5-21-378104194-1064922793-1509252994-1090 sambaPrimaryGroupSID: S-1-5-21-378104194-1064922793-1509252994-513 sambaNTPassword: 5C49A9927C59942A46F193C41446FFD5 sambaPwdLastSet: 1162907539 sambaAcctFlags: [W ] entryCSN: 20080827120929.102086Z#00#000#00 modifiersName: cn=manager,dc=test,dc=com modifyTimestamp: 20080827120929Z smb.conf (suck-configuration) - [global] workgroup = PRESSFK netbios name = DEBIANPDC wins server = 192.168.200.3 ## Domäne # domain master = No domain logons = Yes passdb backend = ldapsam:ldap://127.0.0.1 ## Benutzerverwaltung ldapsam # add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' ## LDAP ### ldap suffix = dc=test,dc=com ldap admin dn = cn=manager,dc=test,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap passwd sync = Yes ldap delete dn = Yes ldap ssl = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc vampire in release 3.2.x
On Wednesday 27 August 2008 07:57:25 Marc Aurel wrote: did someone already try vampire with the 3.2.x-release? since i upgraded from 3.0.x i get problems with the creation of machine accounts. when i start sucking a pdc in my ldapserver the following errors come up with every machineaccount on the pdc: 1.) Creating account: SP1$ /usr/sbin/smbldap-usermod: user SP1_ doesn't exist [2008/08/27 14:09:45, 0] groupdb/mapping.c:smb_set_primary_group(312) smb_set_primary_group: Running the command `/usr/sbin/smbldap-usermod -g 'Domain Users' 'SP1_'' gave 1 2.) User SP1_ does not exist: create it first ! what instantly strikes is that there is an _ instead of the $ in the pcname which cannot work. I guess the second error comes up when the script tries to set the correct password!? Afterwards nevertheless there are machineaccount-passwords in the ldap-database but they seem wrong because machineconnects fail. everything else is flawlessly imported (users, groups, groupmemberships). i didn't change anything in the configuration which worked perfectly with vampire in 3.0.x ExampleLDAPentry of the above mentioned machine after import: - dn: uid=SP1$,ou=Computers,dc=test,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaSamAccount cn: SP1$ uid: SP1$ uidNumber: 1071 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer structuralObjectClass: account entryUUID: be6e3366-087c-102d-9d48-4b401f1e60f4 creatorsName: cn=manager,dc=test,dc=com createTimestamp: 20080827120929Z sambaSID: S-1-5-21-378104194-1064922793-1509252994-1090 sambaPrimaryGroupSID: S-1-5-21-378104194-1064922793-1509252994-513 sambaNTPassword: 5C49A9927C59942A46F193C41446FFD5 sambaPwdLastSet: 1162907539 sambaAcctFlags: [W ] entryCSN: 20080827120929.102086Z#00#000#00 modifiersName: cn=manager,dc=test,dc=com modifyTimestamp: 20080827120929Z smb.conf (suck-configuration) - [global] workgroup = PRESSFK netbios name = DEBIANPDC wins server = 192.168.200.3 ## Domäne # domain master = No domain logons = Yes passdb backend = ldapsam:ldap://127.0.0.1 ## Benutzerverwaltung ldapsam # add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' ## LDAP ### ldap suffix = dc=test,dc=com ldap admin dn = cn=manager,dc=test,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap passwd sync = Yes ldap delete dn = Yes ldap ssl = No Please file a bug report on https://bugzilla.samba.org Thanks. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED
John H Terpstra wrote: On Monday 25 August 2008 08:56:23 Duncan Brannen wrote: Hi All, I'm trying to add a user to a group using /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password The user is added to the group as far as I can tell but the command returns NT_STATUS_ACCESS_DENIED This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both configured to lookup users and groups in LDAP. /usr/local/samba/bin/net rpc group members room11 -Uroot%password CROOMTEST\dunk Trying to remove the user from the group returns NT_STATUS_MEMBER_NOT_IN_GROUP and the user is not removed from the group in LDAP (running smbldap-groupmod manually removes the user from LDAP) In smb.conf, I have add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g With log level set to 10 I see the following for the add that may or may not be relevant. Should the access check granted and required values be equal? [2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297) api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER [2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323) api_rpc_cmds[22].fn == 200be4 samr_AddGroupMember: struct samr_AddGroupMember in: struct samr_AddGroupMember group_handle : * group_handle: struct policy_handle handle_type : 0x (0) uuid : 0500---b248-b49e9051 rid : 0x0bb8 (3000) flags: 0x0005 (5) [2008/08/25 12:59:48, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168) Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48 B4 9E .H.. [010] 90 51 00 00 .Q.. [2008/08/25 12:59:48, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(227) _samr_AddGroupMember: access check ((granted: 0f001f; required: 04) [2008/08/25 12:59:48, 10] rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651) sid is S-1-5-21-440367617-1876916578-3462541782-3003 [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132) get_domain_group_from_sid ... [2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352) smb_add_user_group: Running the command `/usr/local/sbin/smbldap-groupmod -m dunk room11' gave 0 [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122) sys_getgrouplist: user [dunk] [2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 ... [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170) LEGACY: gid 512 - sid S-1-5-21-440367617-1876916578-3462541782-512 samr_AddGroupMember: struct samr_AddGroupMember out: struct samr_AddGroupMember result : NT_STATUS_ACCESS_DENIED For delmem I again get the same access check granted value _samr_DeleteGroupMember: access check ((granted: 0f001f; required: 08) then Get_Pwnam_internals did find user [dunk]! [2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213) LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 - uid 1000 samr_DeleteGroupMember: struct samr_DeleteGroupMember out: struct samr_DeleteGroupMember result : NT_STATUS_MEMBER_NOT_IN_GROUP Any thoughts or pointers as to where I should be looking? Have you tried to execute this script manually? Example: smbldap-useradd -G new_group user_name If that works, check that you gave Samba permission to update the LDAP directory. Did you execute the following?: smbpasswd -w LDAP_Secret_Password also, check that the user you are using to do this, and/or the group that user belongs to, has the rights and privileges needed to do this: net rpc rights list accounts -Uroot%password - John T. Hi John, For what it's worth, the error message has gone now I'm using 3.2.2 and padl's nss_ldap library and I'm assuming it's the padl nss_ldap library that's solved it. A cursory glance at the ldap logs and what happens there looks similar, user still successfully added to the group. If I'd kept digging at this it may have shown why the groups were not showing up in windows. Cheers, Duncan -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED
John H Terpstra wrote: On Monday 25 August 2008 08:56:23 Duncan Brannen wrote: Hi All, I'm trying to add a user to a group using /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password The user is added to the group as far as I can tell but the command returns NT_STATUS_ACCESS_DENIED This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both configured to lookup users and groups in LDAP. /usr/local/samba/bin/net rpc group members room11 -Uroot%password CROOMTEST\dunk Trying to remove the user from the group returns NT_STATUS_MEMBER_NOT_IN_GROUP and the user is not removed from the group in LDAP (running smbldap-groupmod manually removes the user from LDAP) In smb.conf, I have add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g With log level set to 10 I see the following for the add that may or may not be relevant. Should the access check granted and required values be equal? [2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297) api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER [2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323) api_rpc_cmds[22].fn == 200be4 samr_AddGroupMember: struct samr_AddGroupMember in: struct samr_AddGroupMember group_handle : * group_handle: struct policy_handle handle_type : 0x (0) uuid : 0500---b248-b49e9051 rid : 0x0bb8 (3000) flags: 0x0005 (5) [2008/08/25 12:59:48, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168) Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48 B4 9E .H.. [010] 90 51 00 00 .Q.. [2008/08/25 12:59:48, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(227) _samr_AddGroupMember: access check ((granted: 0f001f; required: 04) [2008/08/25 12:59:48, 10] rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651) sid is S-1-5-21-440367617-1876916578-3462541782-3003 [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132) get_domain_group_from_sid ... [2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352) smb_add_user_group: Running the command `/usr/local/sbin/smbldap-groupmod -m dunk room11' gave 0 [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122) sys_getgrouplist: user [dunk] [2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 ... [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170) LEGACY: gid 512 - sid S-1-5-21-440367617-1876916578-3462541782-512 samr_AddGroupMember: struct samr_AddGroupMember out: struct samr_AddGroupMember result : NT_STATUS_ACCESS_DENIED For delmem I again get the same access check granted value _samr_DeleteGroupMember: access check ((granted: 0f001f; required: 08) then Get_Pwnam_internals did find user [dunk]! [2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213) LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 - uid 1000 samr_DeleteGroupMember: struct samr_DeleteGroupMember out: struct samr_DeleteGroupMember result : NT_STATUS_MEMBER_NOT_IN_GROUP Any thoughts or pointers as to where I should be looking? Have you tried to execute this script manually? Example: smbldap-useradd -G new_group user_name If that works, check that you gave Samba permission to update the LDAP directory. Did you execute the following?: smbpasswd -w LDAP_Secret_Password also, check that the user you are using to do this, and/or the group that user belongs to, has the rights and privileges needed to do this: net rpc rights list accounts -Uroot%password - John T. I haven't tried that script as I was trying to add an existing user to a current group, so samba calls /usr/local/sbin/smbldap-groupmod -m dunk room11 The script does work and adds the user to the group in LDAP, the samba logs show the script returning 0 but the ACCESS_DENIED message still occurs, so I was wondering if something else should be happening and it's broken in a way that I've not noticed yet. net rpc rights list accounts ... returned CROOMTEST\Domain Admins SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege but bin/net rpc rights list root .. return nothing so I explicitly added the rights to root as well but still get the same error. If I use useradd -G
[Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED
Hi All, I'm trying to add a user to a group using /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password The user is added to the group as far as I can tell but the command returns NT_STATUS_ACCESS_DENIED This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both configured to lookup users and groups in LDAP. /usr/local/samba/bin/net rpc group members room11 -Uroot%password CROOMTEST\dunk Trying to remove the user from the group returns NT_STATUS_MEMBER_NOT_IN_GROUP and the user is not removed from the group in LDAP (running smbldap-groupmod manually removes the user from LDAP) In smb.conf, I have add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g With log level set to 10 I see the following for the add that may or may not be relevant. Should the access check granted and required values be equal? [2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297) api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER [2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323) api_rpc_cmds[22].fn == 200be4 samr_AddGroupMember: struct samr_AddGroupMember in: struct samr_AddGroupMember group_handle : * group_handle: struct policy_handle handle_type : 0x (0) uuid : 0500---b248-b49e9051 rid : 0x0bb8 (3000) flags: 0x0005 (5) [2008/08/25 12:59:48, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168) Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48 B4 9E .H.. [010] 90 51 00 00 .Q.. [2008/08/25 12:59:48, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(227) _samr_AddGroupMember: access check ((granted: 0f001f; required: 04) [2008/08/25 12:59:48, 10] rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651) sid is S-1-5-21-440367617-1876916578-3462541782-3003 [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132) get_domain_group_from_sid ... [2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352) smb_add_user_group: Running the command `/usr/local/sbin/smbldap-groupmod -m dunk room11' gave 0 [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122) sys_getgrouplist: user [dunk] [2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 ... [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170) LEGACY: gid 512 - sid S-1-5-21-440367617-1876916578-3462541782-512 samr_AddGroupMember: struct samr_AddGroupMember out: struct samr_AddGroupMember result : NT_STATUS_ACCESS_DENIED For delmem I again get the same access check granted value _samr_DeleteGroupMember: access check ((granted: 0f001f; required: 08) then Get_Pwnam_internals did find user [dunk]! [2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213) LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 - uid 1000 samr_DeleteGroupMember: struct samr_DeleteGroupMember out: struct samr_DeleteGroupMember result : NT_STATUS_MEMBER_NOT_IN_GROUP Any thoughts or pointers as to where I should be looking? Thanks, Duncan -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED
On Monday 25 August 2008 08:56:23 Duncan Brannen wrote: Hi All, I'm trying to add a user to a group using /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password The user is added to the group as far as I can tell but the command returns NT_STATUS_ACCESS_DENIED This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both configured to lookup users and groups in LDAP. /usr/local/samba/bin/net rpc group members room11 -Uroot%password CROOMTEST\dunk Trying to remove the user from the group returns NT_STATUS_MEMBER_NOT_IN_GROUP and the user is not removed from the group in LDAP (running smbldap-groupmod manually removes the user from LDAP) In smb.conf, I have add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g With log level set to 10 I see the following for the add that may or may not be relevant. Should the access check granted and required values be equal? [2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297) api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER [2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323) api_rpc_cmds[22].fn == 200be4 samr_AddGroupMember: struct samr_AddGroupMember in: struct samr_AddGroupMember group_handle : * group_handle: struct policy_handle handle_type : 0x (0) uuid : 0500---b248-b49e9051 rid : 0x0bb8 (3000) flags: 0x0005 (5) [2008/08/25 12:59:48, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168) Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48 B4 9E .H.. [010] 90 51 00 00 .Q.. [2008/08/25 12:59:48, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(227) _samr_AddGroupMember: access check ((granted: 0f001f; required: 04) [2008/08/25 12:59:48, 10] rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651) sid is S-1-5-21-440367617-1876916578-3462541782-3003 [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132) get_domain_group_from_sid ... [2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352) smb_add_user_group: Running the command `/usr/local/sbin/smbldap-groupmod -m dunk room11' gave 0 [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122) sys_getgrouplist: user [dunk] [2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 ... [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170) LEGACY: gid 512 - sid S-1-5-21-440367617-1876916578-3462541782-512 samr_AddGroupMember: struct samr_AddGroupMember out: struct samr_AddGroupMember result : NT_STATUS_ACCESS_DENIED For delmem I again get the same access check granted value _samr_DeleteGroupMember: access check ((granted: 0f001f; required: 08) then Get_Pwnam_internals did find user [dunk]! [2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213) LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 - uid 1000 samr_DeleteGroupMember: struct samr_DeleteGroupMember out: struct samr_DeleteGroupMember result : NT_STATUS_MEMBER_NOT_IN_GROUP Any thoughts or pointers as to where I should be looking? Have you tried to execute this script manually? Example: smbldap-useradd -G new_group user_name If that works, check that you gave Samba permission to update the LDAP directory. Did you execute the following?: smbpasswd -w LDAP_Secret_Password also, check that the user you are using to do this, and/or the group that user belongs to, has the rights and privileges needed to do this: net rpc rights list accounts -Uroot%password - John T. -- John H Terpstra Don't do as I do; Show me better! - Anonymous. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc shutdown does not work
I seems to find out the problem by running the command net rpc user info root on my ubuntu box it returns *Domain Users Domain Admins * on my centos 5.2 box it only returns *Domain Users * I have checked the ldap tree on the centos box, user root is indeed in group 512 or Domain Admins. Trying smbldap-usermod -G +512 root also says so. Using the command net rap groupmember add 512 root doesn't do anything. Or is it net rap groupmember add Domain Admins root? I tried both as I don't know for sure which is right and still no *Domain Admins *when calling net rpc user info root. Creating a new user and add him to group 512 also yield the same result, no *Domain Admins *when calling net rpc user info root. Any idea on what I did wrong or is it a well known problem as when I search for this *net rpc shutdown WERR_ACCESS_DENIED* on google it returns quite a few hits? I did find a workaround but it's far from elegant as I have to change Force shutdown from a remote system policy on every client machine. Please some expert shed some light on this. I'm new to Linux and even more new to Samba and LDAP. I'm desperated for knowledge on this problem. Thuan Tran P.S.: I changed my email address. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc shutdown does not work
I'm using centos 5.2 up-to-date with its latest samba 3.0.28-1.el5_2.1 running a Samba PDC with OpenLDAP as backend. Everything else works fine but somehow this command *(net rpc shutdown -t 10 -U root -S xp1 -d 1)* doesn't work and return this with debug level 1 [2008/07/05 19:30:11, 1] utils/net_rpc.c:rpc_init_shutdown_internals(5206) Shutdown of remote machine failed! [2008/07/05 19:30:11, 1] utils/net_rpc.c:run_rpc_command(170) rpc command function failed! (NT_STATUS_ACCESS_DENIED) [2008/07/05 19:30:11, 1] utils/net_rpc.c:rpc_shutdown(5303) initshutdown pipe failed, trying winreg pipe Shutdown of remote machine failed result was: WERR_ACCESS_DENIED [2008/07/05 19:30:11, 1] utils/net_rpc.c:run_rpc_command(170) rpc command function failed! (NT_STATUS_ACCESS_DENIED) I use the same setup on ubuntu 7.10 with its latest Samba 3.0.26 and this command works fine there. Any idea on what is wrong and how to fix it? Thuan Tran. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc commands not working
maybe this is a simple fix but i really don't know how to fix it... it seems that i cannot run any net rpc commands... i wanted to see the members of Domain Users group so i did the following: root# net rpc group members Domain Users -Uroot%not24get and i got this error: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_CONNECTION_REFUSED i can ping localhost without a problem i'm not sure why this is happening, does anyone have any ideas??? thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc commands not working
On Mon, May 19, 2008 at 11:37 AM, Leandro Tracchia [EMAIL PROTECTED] wrote: maybe this is a simple fix but i really don't know how to fix it... it seems that i cannot run any net rpc commands... i wanted to see the members of Domain Users group so i did the following: root# net rpc group members Domain Users -Uroot%not24get and i got this error: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_CONNECTION_REFUSED i can ping localhost without a problem Is samba running on the local host? Is it listening on 127.0.0.1? Did it ask for a password? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc commands not working
On Mon, May 19, 2008 at 11:54 AM, Leandro Tracchia [EMAIL PROTECTED] wrote: yes, samba is running on the localhost... the command did not ask for a password because i used %not24get samba is listening on eth1 How about lo (as this is not eth1)? netstat -tulpen Also have you checked your samba logs? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc commands not working
On Mon, May 19, 2008 at 12:33 PM, Leandro Tracchia [EMAIL PROTECTED] wrote: problem solved. i had to add 127.0.0.1 to the interfaces list of smb.conf. this is because i had set bind interfaces only = yes. the manpage makes mention of smbpasswd not working properly if bind interfaces only is set and the network address 127.0.0.1 is not added to the interfaces parameter. i guess this also applies to correct functionality of the net rpc command, although the man page makes no mention of this and i'm not very knowledgeable to explain to you how it does apply. but it worked for me. The reason for this is that eth1 and lo are seen as 2 different network cards and listening on eth1 does not allow you to listen on lo (which gives you 127.0.0.1). John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc commands not working
The reason for this is that eth1 and lo are seen as 2 different network cards and listening on eth1 does not allow you to listen on lo (which gives you 127.0.0.1). I should have worded that listening only on eth1 does not allow access to 127.0.0.1. You need to listen on lo as well or not bind to interfaces which will then listen on all vaild ip addresses for the server. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc commands not working
problem solved. i had to add 127.0.0.1 to the interfaces list of smb.conf. this is because i had set bind interfaces only = yes. the manpage makes mention of smbpasswd not working properly if bind interfaces only is set and the network address 127.0.0.1 is not added to the interfaces parameter. i guess this also applies to correct functionality of the net rpc command, although the man page makes no mention of this and i'm not very knowledgeable to explain to you how it does apply. but it worked for me. thanks for your help john. On Mon, May 19, 2008 at 12:41 PM, John Drescher [EMAIL PROTECTED] wrote: The reason for this is that eth1 and lo are seen as 2 different network cards and listening on eth1 does not allow you to listen on lo (which gives you 127.0.0.1). I should have worded that listening only on eth1 does not allow access to 127.0.0.1. You need to listen on lo as well or not bind to interfaces which will then listen on all vaild ip addresses for the server. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc group error
Hello, I receive this error when trying to add an Active Directory user in the Backup Operators group. Do you know what could be the reason and how to fix it ? The server dali is a sun solaris system: SunOS dali 5.9 Generic_118558-05 sun4u sparc SUNW,Sun-Fire-480R The samba version on this server is 3.0.9 This server is succesfully joined into the active directory domain EMEA net rpc info -S dali Domain Name: EMEA Domain SID: S-1-5-21-2188191474-962303098-1574304029 Sequence number: 1197369746 Num users: 0 Num domain groups: 0 Num local groups: 0 net rpc group list -Uadminbbs Password: System Operators Replicators Guests Power Users Print Operators Administrators Account Operators Backup Operators Users net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Admins (S-1-5-21-2188191474-962303098-1574304029-512) - -1 Domain Guests (S-1-5-21-2188191474-962303098-1574304029-514) - -1 Domain Users (S-1-5-21-2188191474-962303098-1574304029-513) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 net rpc group addmem Backup Operators adminbbs -Uadminbbs Password: Could not lookup up group member adminbbs Could not add adminbbs to Backup Operators: NT_STATUS_NONE_MAPPED -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc join -U root error
Thanks, I figured it out. looking at /var/log/samba/smbd it was trying to connect to openldap but couldn't. I had to rerun smbpasswd -w xx and then it was ok, and then I ran: [EMAIL PROTECTED] ~]# net rpc join -D ADMIN -U root Password: Joined domain ADMIN. [EMAIL PROTECTED] ~]# net rpc join -U root Password: Joined domain ADMIN. [EMAIL PROTECTED] ~]# net rpc testjoin -S GOMER -U root Join to 'ADMIN' is OK -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc join -U root error
On my server, I have root in LDAP, and am following the Samba3 by example book, but I'm unable to get it to join the domain. I'm running samba 3.0.25b. [EMAIL PROTECTED] samba]# net rpc join -U root% Unable to find a suitable server [EMAIL PROTECTED] samba]# net rpc testjoin -S GOMER -U root%xxx Join to 'ADMIN' is OK [EMAIL PROTECTED] samba]# net rpc testjoin -D DOMAIN -U root%xxx Unable to find a suitable server Join to domain 'ADMIN' is not valid I google searched for the error, but didn't find a solution. Any ideas? smb.conf: [global] unix charset = LOCALE workgroup = ADMIN netbios name = GOMER server string = Samba Server %v on gomer interfaces = eth0, lo bind interfaces only = Yes passdb backend = ldapsam:ldap://gomer.mdah.state.ms.us enable privileges = Yes username map = /etc/samba/smbusers log level = 5 syslog = 0 log file = /var/log/samba/%m max log size = 50 name resolve order = wins bcast hosts time server = Yes printcap name = CUPS show add printer wizard = no add user script = /usr/sbin/smbldap-useradd -a -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-groupmod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = scripts\logon.bat logon path = \\%L\profiles\%U logon drive = X: domain logons = Yes preferred master = Yes wins support = Yes ldap suffix = dc=gomer,dc=mdah,dc=state,dc=ms,dc=us ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us idmap backend = ldap:ldap://gomer.mdah.state.ms.us idmap uid = 1 - 2 idmap gid = 1 - 2 map acl inherit = Yes printing = cups printer admin = root, awilliam [homes] comment = Home Directories valid users = %S read only = no browseable = No [accounts] comment = Accounting Files path = /data/accounts read only = No [netlogon] comment = network logon service path = /var/lib/samba/netlogon guest ok = Yes locking = No [profiles] comment = Profile Share path = /var/lib/samba/profiles read only = No profile acls = Yes [print$] comment = Printer Drivers path = /var/lib/samba/drivers browseable = yes guest ok = no read only = yes write list = root, awilliam ldapsearch -D 'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b uid=root,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us -w xxx -x # extended LDIF # # LDAPv3 # base uid=root,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us with scope subtree # filter: (objectclass=*) # requesting: ALL # # root, People, gomer.mdah.state.ms.us dn: uid=root,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us uid: root cn: root sn: root mail: [EMAIL PROTECTED] objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: xxx shadowLastChange: 13704 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 0 gidNumber: 0 homeDirectory: /root gecos: root # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [EMAIL PROTECTED] samba]# ps ax|grep winbind 6511 pts/1S+ 0:00 grep winbind 29280 ?Ss 0:00 winbindd 29282 ?S 0:00 winbindd 29285 ?S 0:00 winbindd 29286 ?S 0:00 winbindd [EMAIL PROTECTED] samba]# cat /etc/nsswitch.conf |grep wins hosts: files dns wins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc join -U root error
On my server, I have root in LDAP, and am following the Samba3 by example book, but I'm unable to get it to join the domain. I'm running samba 3.0.25b. [EMAIL PROTECTED] samba]# net rpc join -U root% Unable to find a suitable server [EMAIL PROTECTED] samba]# net rpc testjoin -S GOMER -U root%tical123 Join to 'ADMIN' is OK [EMAIL PROTECTED] samba]# net rpc testjoin -D DOMAIN -U root%tical123 Unable to find a suitable server Join to domain 'ADMIN' is not valid I google searched for the error, but didn't find a solution. Any ideas? smb.conf: [global] unix charset = LOCALE workgroup = ADMIN netbios name = GOMER server string = Samba Server %v on gomer interfaces = eth0, lo bind interfaces only = Yes passdb backend = ldapsam:ldap://gomer.mdah.state.ms.us enable privileges = Yes username map = /etc/samba/smbusers log level = 5 syslog = 0 log file = /var/log/samba/%m max log size = 50 name resolve order = wins bcast hosts time server = Yes printcap name = CUPS show add printer wizard = no add user script = /usr/sbin/smbldap-useradd -a -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-groupmod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = scripts\logon.bat logon path = \\%L\profiles\%U logon drive = X: domain logons = Yes preferred master = Yes wins support = Yes ldap suffix = dc=gomer,dc=mdah,dc=state,dc=ms,dc=us ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us idmap backend = ldap:ldap://gomer.mdah.state.ms.us idmap uid = 1 - 2 idmap gid = 1 - 2 map acl inherit = Yes printing = cups printer admin = root, awilliam [homes] comment = Home Directories valid users = %S read only = no browseable = No [accounts] comment = Accounting Files path = /data/accounts read only = No [netlogon] comment = network logon service path = /var/lib/samba/netlogon guest ok = Yes locking = No [profiles] comment = Profile Share path = /var/lib/samba/profiles read only = No profile acls = Yes [print$] comment = Printer Drivers path = /var/lib/samba/drivers browseable = yes guest ok = no read only = yes write list = root, awilliam ldapsearch -D 'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b uid=root,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us -w xxx -x # extended LDIF # # LDAPv3 # base uid=root,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us with scope subtree # filter: (objectclass=*) # requesting: ALL # # root, People, gomer.mdah.state.ms.us dn: uid=root,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us uid: root cn: root sn: root mail: [EMAIL PROTECTED] objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: xxx shadowLastChange: 13704 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 0 gidNumber: 0 homeDirectory: /root gecos: root # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [EMAIL PROTECTED] samba]# ps ax|grep winbind 6511 pts/1S+ 0:00 grep winbind 29280 ?Ss 0:00 winbindd 29282 ?S 0:00 winbindd 29285 ?S 0:00 winbindd 29286 ?S 0:00 winbindd [EMAIL PROTECTED] samba]# cat /etc/nsswitch.conf |grep wins hosts: files dns wins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc join -U root error
have you tried restarting both samba and winbind services ?? or as Roy from the IT Crowd says.. Have you tried turning it off and on again? :P Diego On Nov 7, 2007 5:11 PM, Adam Williams [EMAIL PROTECTED] wrote: yeah, that works, but thats not what the Samba 3 by Example book has. [EMAIL PROTECTED] etc]# net rpc join -S GOMER -U root Password: Joined domain ADMIN. But, winbind is still broken. [EMAIL PROTECTED] etc]# wbinfo -g Error looking up domain groups [EMAIL PROTECTED] etc]# wbinfo -u Error looking up domain users any ideas on that? Diego Obetko wrote: I've been using # net rpc join -S (domain) -U root Diego -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc join -U root error
yeah, no luck :( [EMAIL PROTECTED] ~]# /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart Shutting down SMB services:[ OK ] Starting SMB services: [ OK ] Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] [EMAIL PROTECTED] ~]# net rpc join -U root%xxx Unable to find a suitable server Diego Obetko wrote: have you tried restarting both samba and winbind services ?? or as Roy from the IT Crowd says.. Have you tried turning it off and on again? :P Diego On Nov 7, 2007 5:11 PM, Adam Williams [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: yeah, that works, but thats not what the Samba 3 by Example book has. [EMAIL PROTECTED] etc]# net rpc join -S GOMER -U root Password: Joined domain ADMIN. But, winbind is still broken. [EMAIL PROTECTED] etc]# wbinfo -g Error looking up domain groups [EMAIL PROTECTED] etc]# wbinfo -u Error looking up domain users any ideas on that? Diego Obetko wrote: I've been using # net rpc join -S (domain) -U root Diego -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc join -U root error
On Nov 7, 2007 6:34 PM, Adam Williams [EMAIL PROTECTED] wrote: yeah, no luck :( [EMAIL PROTECTED] ~]# /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart Shutting down SMB services:[ OK ] Starting SMB services: [ OK ] Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] [EMAIL PROTECTED] ~]# net rpc join -U root%xxx Unable to find a suitable server but you used that sintax that didn't work again.. try this # net rpc join -S GOMER -U root then # /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart then # wbinfo -u On Nov 7, 2007 5:11 PM, Adam Williams [EMAIL PROTECTED] wrote: yeah, that works, but thats not what the Samba 3 by Example book has. [EMAIL PROTECTED] etc]# net rpc join -S GOMER -U root Password: Joined domain ADMIN. But, winbind is still broken. [EMAIL PROTECTED] etc]# wbinfo -g Error looking up domain groups [EMAIL PROTECTED] etc]# wbinfo -u Error looking up domain users any ideas on that? Diego Obetko wrote: I've been using # net rpc join -S (domain) -U root Diego -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc join -U root error
I turned on log level = 10 and got some more data. [EMAIL PROTECTED] samba]# net rpc join -S GOMER -U root [2007/11/07 15:52:27, 0] libsmb/clientgen.c:cli_receive_smb(112) Receiving SMB: Server stopped responding [2007/11/07 15:52:27, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine GOMER pipe \NETLOGON fnum 0x7751returned critical error. Error was Call timed out: server did not respond after 1 milliseconds Password: [2007/11/07 15:53:00, 0] libsmb/clientgen.c:cli_receive_smb(112) Receiving SMB: Server stopped responding [2007/11/07 15:53:00, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine GOMER pipe \samr fnum 0x7775returned critical error. Error was Call timed out: server did not respond after 1 milliseconds Creation of workstation account failed Unable to join domain ADMIN. [EMAIL PROTECTED] samba]# /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart Shutting down SMB services:[ OK ] Starting SMB services: [ OK ] Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] [EMAIL PROTECTED] samba]# wbinfo -u Error looking up domain users Diego Obetko wrote: but you used that sintax that didn't work again.. try this # net rpc join -S GOMER -U root then # /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart then # wbinfo -u -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc join -U root error
Make sure that the version of samba are all the same. Somehow, the 3.0.26 version is not compatible with 3.0.24. If your PDC has an earlier version to that machine you are trying to join, you will not be able to join it to the domain. Adam Williams wrote: I turned on log level = 10 and got some more data. [EMAIL PROTECTED] samba]# net rpc join -S GOMER -U root [2007/11/07 15:52:27, 0] libsmb/clientgen.c:cli_receive_smb(112) Receiving SMB: Server stopped responding [2007/11/07 15:52:27, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine GOMER pipe \NETLOGON fnum 0x7751returned critical error. Error was Call timed out: server did not respond after 1 milliseconds Password: [2007/11/07 15:53:00, 0] libsmb/clientgen.c:cli_receive_smb(112) Receiving SMB: Server stopped responding [2007/11/07 15:53:00, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine GOMER pipe \samr fnum 0x7775returned critical error. Error was Call timed out: server did not respond after 1 milliseconds Creation of workstation account failed Unable to join domain ADMIN. [EMAIL PROTECTED] samba]# /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart Shutting down SMB services:[ OK ] Starting SMB services: [ OK ] Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] [EMAIL PROTECTED] samba]# wbinfo -u Error looking up domain users Diego Obetko wrote: but you used that sintax that didn't work again.. try this # net rpc join -S GOMER -U root then # /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart then # wbinfo -u -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc join -U root error
i'm sorry but he did join the machine in an earlier reply.. don't know if it's the same machine or situation... [quote] [EMAIL PROTECTED] etc]# net rpc join -S GOMER -U root Password: Joined domain ADMIN. [/quote] On Nov 7, 2007 7:04 PM, Ivan Ordonez [EMAIL PROTECTED] wrote: Make sure that the version of samba are all the same. Somehow, the 3.0.26 version is not compatible with 3.0.24. If your PDC has an earlier version to that machine you are trying to join, you will not be able to join it to the domain. Adam Williams wrote: I turned on log level = 10 and got some more data. [EMAIL PROTECTED] samba]# net rpc join -S GOMER -U root [2007/11/07 15:52:27, 0] libsmb/clientgen.c:cli_receive_smb(112) Receiving SMB: Server stopped responding [2007/11/07 15:52:27, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine GOMER pipe \NETLOGON fnum 0x7751returned critical error. Error was Call timed out: server did not respond after 1 milliseconds Password: [2007/11/07 15:53:00, 0] libsmb/clientgen.c:cli_receive_smb(112) Receiving SMB: Server stopped responding [2007/11/07 15:53:00, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine GOMER pipe \samr fnum 0x7775returned critical error. Error was Call timed out: server did not respond after 1 milliseconds Creation of workstation account failed Unable to join domain ADMIN. [EMAIL PROTECTED] samba]# /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart Shutting down SMB services:[ OK ] Starting SMB services: [ OK ] Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] [EMAIL PROTECTED] samba]# wbinfo -u Error looking up domain users Diego Obetko wrote: but you used that sintax that didn't work again.. try this # net rpc join -S GOMER -U root then # /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart then # wbinfo -u -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc join -U root error
Yeah, odd that that command isn't working now. samba is running: [EMAIL PROTECTED] ~]# ps ax|grep mbd 6765 ?Ss 0:00 smbd -D 6768 ?Ss 0:00 nmbd -D 6769 ?S 0:00 nmbd -D but when I nmap scan, it looks like its not responding on ports 139 and 445. [EMAIL PROTECTED] nmap-4.20]# ./nmap -sS -O -T insane gomer Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-07 16:23 CST Interesting ports on gomer.mdah.state.ms.us (10.8.3.37): Not shown: 1685 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 389/tcp open ldap 610/tcp open npmp-local 614/tcp open unknown 826/tcp open unknown 992/tcp open telnets 1023/tcp open netvenuechat 2049/tcp open nfs 3306/tcp open mysql [EMAIL PROTECTED] mnt]# mount //gomer/adam /mnt/gomer -o username=adam Password: mount error 111 = Connection refused but i have in my smb.conf interfaces = eth0, lo bind interfaces only = Yes any ideas? Diego Obetko wrote: i'm sorry but he did join the machine in an earlier reply.. don't know if it's the same machine or situation... [quote] [EMAIL PROTECTED] etc]# net rpc join -S GOMER -U root Password: Joined domain ADMIN. [/quote] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc join -U root error
I think he did a net rpc testjoin command and got a no suitable server response. Diego Obetko wrote: i'm sorry but he did join the machine in an earlier reply.. don't know if it's the same machine or situation... [quote] [EMAIL PROTECTED] etc]# net rpc join -S GOMER -U root Password: Joined domain ADMIN. [/quote] On Nov 7, 2007 7:04 PM, Ivan Ordonez [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Make sure that the version of samba are all the same. Somehow, the 3.0.26 version is not compatible with 3.0.24. If your PDC has an earlier version to that machine you are trying to join, you will not be able to join it to the domain. Adam Williams wrote: I turned on log level = 10 and got some more data. [EMAIL PROTECTED] samba]# net rpc join -S GOMER -U root [2007/11/07 15:52:27, 0] libsmb/clientgen.c:cli_receive_smb(112) Receiving SMB: Server stopped responding [2007/11/07 15:52:27, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine GOMER pipe \NETLOGON fnum 0x7751returned critical error. Error was Call timed out: server did not respond after 1 milliseconds Password: [2007/11/07 15:53:00, 0] libsmb/clientgen.c:cli_receive_smb(112) Receiving SMB: Server stopped responding [2007/11/07 15:53:00, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine GOMER pipe \samr fnum 0x7775returned critical error. Error was Call timed out: server did not respond after 1 milliseconds Creation of workstation account failed Unable to join domain ADMIN. [EMAIL PROTECTED] samba]# /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart Shutting down SMB services:[ OK ] Starting SMB services: [ OK ] Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] [EMAIL PROTECTED] samba]# wbinfo -u Error looking up domain users Diego Obetko wrote: but you used that sintax that didn't work again.. try this # net rpc join -S GOMER -U root then # /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart then # wbinfo -u -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc join -U root error
[quote] [EMAIL PROTECTED] samba]# net rpc join -U root% Unable to find a suitable server [EMAIL PROTECTED] samba]# net rpc testjoin -S GOMER -U root%xxx Join to 'ADMIN' is OK [EMAIL PROTECTED] samba]# net rpc testjoin -D DOMAIN -U root%xxx Unable to find a suitable server Join to domain 'ADMIN' is not valid [/quote] What is the samba server netbios name and workgroup ?? as far as i can see the domain is ADMIN and the samba netbios name is GOMER so, what is DOMAIN in [EMAIL PROTECTED] samba]# net rpc testjoin -D DOMAIN -U root another thing, you don't need to pass the password in that command.. you can issue it as i put it up here and it will as you for root's password... Diego On Nov 7, 2007 9:08 PM, Ivan Ordonez [EMAIL PROTECTED] wrote: I think he did a net rpc testjoin command and got a no suitable server response. Diego Obetko wrote: i'm sorry but he did join the machine in an earlier reply.. don't know if it's the same machine or situation... [quote] [EMAIL PROTECTED] etc]# net rpc join -S GOMER -U root Password: Joined domain ADMIN. [/quote] On Nov 7, 2007 7:04 PM, Ivan Ordonez [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Make sure that the version of samba are all the same. Somehow, the 3.0.26 version is not compatible with 3.0.24. If your PDC has an earlier version to that machine you are trying to join, you will not be able to join it to the domain. Adam Williams wrote: I turned on log level = 10 and got some more data. [EMAIL PROTECTED] samba]# net rpc join -S GOMER -U root [2007/11/07 15:52:27, 0] libsmb/clientgen.c:cli_receive_smb(112) Receiving SMB: Server stopped responding [2007/11/07 15:52:27, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine GOMER pipe \NETLOGON fnum 0x7751returned critical error. Error was Call timed out: server did not respond after 1 milliseconds Password: [2007/11/07 15:53:00, 0] libsmb/clientgen.c:cli_receive_smb(112) Receiving SMB: Server stopped responding [2007/11/07 15:53:00, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine GOMER pipe \samr fnum 0x7775returned critical error. Error was Call timed out: server did not respond after 1 milliseconds Creation of workstation account failed Unable to join domain ADMIN. [EMAIL PROTECTED] samba]# /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart Shutting down SMB services:[ OK ] Starting SMB services: [ OK ] Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] [EMAIL PROTECTED] samba]# wbinfo -u Error looking up domain users Diego Obetko wrote: but you used that sintax that didn't work again.. try this # net rpc join -S GOMER -U root then # /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart then # wbinfo -u -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc problem
samba 3.024 openldap 2.3 Am trying to grant rights to allow the user admin to join machines to the domain. Here's what I get.. ** net rpc rights grant homelan\\admin SeMachineAccountPrivilege [2007/08/16 12:41:08, 0] param/loadparm.c:map_parameter(2698) Unknown parameter encountered: cups homeions [2007/08/16 12:41:08, 0] param/loadparm.c:lp_do_parameter(3428) Ignoring unknown parameter cups homeions [2007/08/16 12:41:08, 0] param/loadparm.c:map_parameter(2698) Unknown parameter encountered: socket homeions [2007/08/16 12:41:08, 0] param/loadparm.c:lp_do_parameter(3428) Ignoring unknown parameter socket homeions -- This message has been scanned for viruses and dangerous content by RCRnet, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc problem
[2007/08/16 12:41:08, 0] param/loadparm.c:map_parameter(2698) Unknown parameter encountered: cups homeions [2007/08/16 12:41:08, 0] param/loadparm.c:lp_do_parameter(3428) Ignoring unknown parameter cups homeions [2007/08/16 12:41:08, 0] param/loadparm.c:map_parameter(2698) Unknown parameter encountered: socket homeions [2007/08/16 12:41:08, 0] param/loadparm.c:lp_do_parameter(3428) Ignoring unknown parameter socket homeions I assume it did not work as you probably would not have posted but these warnings are printer related and I doubt they have anything to do with any failure. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc join: Percent sign in password
Hello, How can I pass a password that contains the percent sign to the net rpc join command? I use the format: Net rpc join -U user%password Does escaping work? If so, how? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc join: Percent sign in password
On Mi, Jul 11, 2007 at 11:23:16 +0300, Eyal Ben David wrote: How can I pass a password that contains the percent sign to the net rpc join command? I use the format: Net rpc join -U user%password Does escaping work? If so, how? No escaping needed. The first % sign is the separator. The following is taken verbatim as password. Cheers, Michael -- Michael Adam [EMAIL PROTECTED] SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with Samba Net RPC Behind a firewall
Hello list How can I manually register a server in a Samba Wins Server ? I'm facing this scenario firewalled net in the DMZSamba Box 3.0.25FreeBsd 6 In the NETWindows 2003 SP1 The samba box is authenticating user against the Windows 2003 server. Of course the firewall is open for TCP 445 88 137-139 UDP 137-139 problems pop up for all NET RPC comands the samba box cannot find a Domain Server. Obviously it is because the firewall is stopping broadcasts from DMZ to Intranet. So I made Samba working as WINS server the problem is this The Domain server WILL NEVER try to register on the Samba Wins Server and I'm not willing to open Intranet to DMZ WINS comunications over the firewall I'd rather preferr to register MANUALLY and ONCE the Windows2003 server on the Samba WINS server. How can I do this ? I searched over and over in google, but found no clue at all. [global] workgroup = DMSWARE Wins support = yes dns proxy = yes #name resolve order = host wins bcast name resolve order = wins lmhosts hosts bcast local master = yes #domain master = yes domain master = no preferred master = auto enhanced browsing = yes #encrypt password = yes # YES = Default realm = DMSWARE.it server string = mail security = ADS password server = orion passdb backend = tdbsam passwd program = /usr/bin/passwd %u client use spnego = yes server signing = auto client signing = auto #passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . #passwd chat debug = yes log file = /var/log/samba/log.%m add user script = /usr/sbin/pw useradd %u delete user script = /usr/sbin/pw userdel %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/pw groupdel %g template homedir = /home/%U template shell = /bin/csh winbind cache time = 3600 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 idmap domains = DMSWARE idmap config DMSWARE:range = 1-4 idmap config DMSWARE:base_rid = 0 idmap config DMSWARE:backend = rid idmap uid = 1-4 idmap gid = 1-4 # Networking configuration options hosts allow = 192.168.0. 192.168.1. localhost #guest ok = yes #guest only = yes browseable = yes #read only = yes #force directory mode = 744 public = yes available = yes browse list = yes -- Gianluca Culot DMS Multimedia Via delle Arti e dei Mestieri, 6 20050 Sulbiate (Mi) - Italy Tel: +39 039 5968925 Fax: +39 039 3309813 mailto:[EMAIL PROTECTED] www.dmsware.com http://www.dmsware.com/ Ai sensi del D.Lgs. 196/2003 si precisa che le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Qualora il messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo e a non inoltrarlo a terzi, dandocene gentilmente comunicazione. Il mittente comunica che il presente messaggio ed ogni suo allegato, al momento dellinvio, era esente da ogni tipo di virus, worm, trojan e/o ogni altri tipo di codice software dannoso. Questo messaggio e i suoi allegati potrebbero essere stati infettati durante la trasmissione. Leggendo il messaggio e/o aprendo gli allegati, il Destinatario si prende la piena responsabilità nei confronti di ogni azione protettiva o di rimedio per la rimozione di virus ed altri difetti. DMS Multimedia non potrà essere considerata responsabile per qualsivoglia danno o perdita derivata qualunque modo da questo messaggio o dai suoi allegati. The information in this electronic mail message, including any attachments, is confidential and may be legally privileged. It is intended solely for the addressee(s). Access to this Internet electronic mail message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. The sender believes that this E-mail and any attachments were free of any virus, worm, Trojan horse, and/or malicious code when sent. This message and its attachments could have been infected during transmission. By reading the message and opening the attachments, the recipient accepts full responsibility for taking protective and remedial action about viruses and other defects.DMS Multimedia is not liable for any loss or damage arising in any way from this message or its attachments -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc vampire problems
I am trying to vampire the account database from my NT 4 DC (that has SP6A installed). The DC's name is nemesis. The samba computer's name is mjollnir. The directions seem trivial: 1.) Join the Domain as a BDC with: net rpc join -S nemesis -W WHSD -U Administrator this worked fine and I can see the computer listed in server manager with type Windows NT Backup 2.) Run the vampire command: net rpc vampire -S nemesis -U Administrator -W WHSD this returns: Fetching DOMAIN database Failed to fetch domain database: NT_STATUS_INVALID_COMPUTER_NAME I've tried this on another NT 4 DC in a different domain with the same results. Am I missing a step? It seems like my situation would be the default for this and that everyone would be getting this error yet I can't find it documented anywhere. I'd really like to get these domains moved to samba and really appreciate any help. My smb.conf is: [global] workgroup = WHSD server string = mjollnir server netbios name = MJOLLNIR printcap name = /etc/printcap load printers = yes log file = /var/log/samba/log.%m max log size = 50 security = USER #security = DOMAIN #password server = GENESIS encrypt passwords = true passdb backend = tdbsam #smb passwd file = /etc/samba/smbpasswd allow trusted domains = No socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no domain logons = Yes domain master = No preferred master = no #wins server = 10.1.2.2 dns proxy = no log level = 3 add user script = /usr/sbin/useradd -m '%u' add group script = /usr/sbin/groupadd '%g' add user to group script = /usr/sbin/usermod -G '%g' '%u' add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u' client schannel = no [netlogon] path = /var/lib/samba/netlogon guest ok = Yes locking = No [tmp] path = /var/lib/samba/tmp read only = no browseable = no guest ok = yes I've attached the output of: net rpc vampire -S nemesis -U Administrator -W WHSD -d 10 to this message in case it is helpful in any way. [2007/05/30 11:13:14, 5] lib/debug.c:debug_dump_status(391) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 [2007/05/30 11:13:14, 3] param/loadparm.c:lp_load(4945) lp_load: refreshing parameters [2007/05/30 11:13:14, 3] param/loadparm.c:init_globals(1410) Initialising global parameters [2007/05/30 11:13:14, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2007/05/30 11:13:14, 3] param/loadparm.c:do_section(3687) Processing section [global] doing parameter workgroup = WHSD doing parameter server string = mjollnir server doing parameter netbios name = MJOLLNIR [2007/05/30 11:13:14, 4] param/loadparm.c:handle_netbios_name(3045) handle_netbios_name: set global_myname to: MJOLLNIR doing parameter printcap name = /etc/printcap doing parameter load printers = yes doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter security = USER doing parameter encrypt passwords = true doing parameter passdb backend = tdbsam doing parameter allow trusted domains = No doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 doing parameter local master = no doing parameter domain logons = Yes doing parameter domain master = No doing parameter preferred master = no doing parameter dns proxy = no doing parameter log level = 3 doing parameter add user script = /usr/sbin/useradd -m '%u' doing parameter add group script = /usr/sbin/groupadd '%g' doing parameter add user to group script = /usr/sbin/usermod -G '%g' '%u' doing parameter add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u' doing parameter client schannel = no [2007/05/30 11:13:14, 4] param/loadparm.c:lp_load(4976) pm_process() returned Yes [2007/05/30 11:13:14, 7] param/loadparm.c:lp_servicenumber(5112) lp_servicenumber: couldn't find homes [2007/05/30 11:13:14, 10] param/loadparm.c:set_server_role(4221) set_server_role: role = ROLE_DOMAIN_BDC [2007/05/30 11:13:14, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS-2LE [2007/05/30 11:13:14, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS-2LE [2007/05/30 11:13:14, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF-16LE [2007/05/30 11:13:14, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF-16LE [2007/05/30 11:13:14, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS-2BE [2007/05/30 11:13:14, 5]
[Samba] net rpc trustdom list: enumerates all accounts
Hello When I perform the net rpc trustdom list command I get the couldn't enumerate accounts error. I use LDAP as passdb backend with approximately 3 accounts. If I run the command, I can see from my LDAP logs that it tries to list every account on the LDAP server. Therefore the net rpc trustdom list command times out. Is this normal behaviour? Werner [EMAIL PROTECTED] net rpc trustdom list Password: Trusted domains list: none Trusting domains list: [2007/05/07 09:45:53, 0] rpc_client/cli_pipe.c:rpc_api_pipe(438) cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds [2007/05/07 09:45:53, 0] utils/net_rpc.c:rpc_trustdom_list(5445) Couldn't enumerate accounts. Error was: NT_STATUS_UNSUCCESSFUL Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc trustdom list: enumerates all accounts
On Mon, May 07, 2007 at 10:37:03AM +0200, werner maes wrote: When I perform the net rpc trustdom list command I get the couldn't enumerate accounts error. I use LDAP as passdb backend with approximately 3 accounts. If I run the command, I can see from my LDAP logs that it tries to list every account on the LDAP server. Therefore the net rpc trustdom list command times out. Is this normal behaviour? With 'passdb backend = ldapsam' it is quite unfortunate, but expected. We have done quite extensive optimizations for this case with ldapsam:trusted = yes, but this options puts quite strict restrictions on the conformance of your ldap tree. Volker pgppw2cwELN2i.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc vampire umlauts (äöüß) problem
On 2007-04-11 at 22:54 +0200 Stefan Drees sent off: I changed the charset to UTF8, but nothing changes. Smbldap-usershow shows me the malformed umlauts, with ldapsearch i get displayname:: Qs19dnttIFRidKxlej==. be aware that ldap always contains utf-8 encoded names and if they are not ASCII or contain some other special characters, then they are base64 encoded. As your LDAP scripts don't convert the names, you have to do that by yourself. Bjoern -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc query
Hi. I'm using samba-3.0.24 on a gentoo box. The samba machine is configured as a domain member server within a MS Windows 2003 active directory. It has been successfully joined to the domain and everything works, shares, kerberos, ldap. However, I cannot get nested groups to work, or more precisely, I cannot add a local group using net rpc. Here is what I am doing: gentoo ~ # net rpc group add NewGroup -Umyuser -L -d 3 -I 10.0.0.2 [2007/04/17 11:20:35, 3] param/loadparm.c:lp_load(4945) lp_load: refreshing parameters [2007/04/17 11:20:35, 3] param/loadparm.c:init_globals(1410) Initialising global parameters [2007/04/17 11:20:35, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2007/04/17 11:20:35, 3] param/loadparm.c:do_section(3687) Processing section [global] [2007/04/17 11:20:35, 1] param/loadparm.c:lp_do_parameter(3426) WARNING: The printer admin option is deprecated [2007/04/17 11:20:35, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.1 bcast=130.88.255.255 nmask=255.255.0.0 [2007/04/17 11:20:35, 2] lib/interface.c:add_interface(81) added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 Password: [2007/04/17 11:20:42, 3] libsmb/cliconnect.c:cli_start_connection(1426) Connecting to host=10.0.0.1 [2007/04/17 11:20:42, 3] lib/util_sock.c:open_socket_out(874) Connecting to 130.88.88.89 at port 445 [2007/04/17 11:20:42, 3] libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session setup (blob length=122) [2007/04/17 11:20:42, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 1 2 2 [2007/04/17 11:20:42, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018 1 2 2 [2007/04/17 11:20:42, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1 311 2 2 10 [2007/04/17 11:20:42, 3] libsmb/cliconnect.c:cli_session_setup_spnego(754) got principal=cifs/[EMAIL PROTECTED] [2007/04/17 11:20:42, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(950) Got challenge flags: [2007/04/17 11:20:42, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0x60890215 [2007/04/17 11:20:42, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(972) NTLMSSP: Set final flags: [2007/04/17 11:20:42, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0x60080215 [2007/04/17 11:20:42, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338) NTLMSSP Sign/Seal - Initialising with flags: [2007/04/17 11:20:42, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0x60080215 [2007/04/17 11:20:42, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine 10.0.0.1 pipe \lsarpc fnum 0x72a4 bind request returned ok. [2007/04/17 11:20:42, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine 10.0.0.1 pipe \samr fnum 0x72a5 bind request returned ok. add alias failed: NT_STATUS_ACCESS_DENIED [2007/04/17 11:20:42, 1] utils/net_rpc.c:run_rpc_command(170) rpc command function failed! (NT_STATUS_ACCESS_DENIED) [2007/04/17 11:20:42, 2] utils/net.c:main(988) return code = 1 gentoo ~ # Now, my question relates to the -U parameter. Exactly which account is this? Is it root on the gentoo box? Is it a domain admin on the windows active directory? Is it my wbinfo --set-auth-user definition? Is it some other account? I have tried all these combinations and I still cannot add a group. I know the root, domain admin account, wbinfo user passwords and still this just will not work for me. Can someone please inform me which account I should be using? As I have totally run out of ideas. Thanks Dave -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc vampire umlauts (äöüß) pro blem
I changed the charset to UTF8, but nothing changes. Smbldap-usershow shows me the malformed umlauts, with ldapsearch i get displayname:: Qs19dnttIFRidKxlej==. I tried to change unix charset to UTF8, ISO8859-1, ISO8850-15, but the displayname doesn`t change. I also changed the locales to UTF-8, [EMAIL PROTECTED], de_DE, [EMAIL PROTECTED], but the displayname doesn´t change, too. net rpc vampire ignores the settings. Any other ideas? Regards S.Drees Wolfgang Ratzka schrieb: Stefan Drees schrieb: Hi, im using net rpc vampire to migrate users/ groups from nt4 to samba3 with ldap backend. But the umlauts (äöüß) in the displayname are malformend. Unix charset in smb.conf is set to ISO8859-1. Any hint how to correct this? Regards S.Drees Did you consider switching your unix charset from ISO8859-1 to UTF-8? Windows does allow unicode characters in file names and in other places. Translating them to ISO8859-1 will not always work. Kind regards Wolfgng Ratzka -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc vampire umlauts (äöü ß) problem
Stefan Drees schrieb: Hi, im using net rpc vampire to migrate users/ groups from nt4 to samba3 with ldap backend. But the umlauts (äöüß) in the displayname are malformend. Unix charset in smb.conf is set to ISO8859-1. Any hint how to correct this? Regards S.Drees Did you consider switching your unix charset from ISO8859-1 to UTF-8? Windows does allow unicode characters in file names and in other places. Translating them to ISO8859-1 will not always work. Kind regards Wolfgng Ratzka -- Wolfgang Ratzka Phone: +49 6421 2823531 FAX: +49 6421 2826994 Uni Marburg, HRZ, Hans-Meerwein-Str., D-35032 Marburg, Germany -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc vampire umlauts (äöüß) problem
Hi, im using net rpc vampire to migrate users/ groups from nt4 to samba3 with ldap backend. But the umlauts (äöüß) in the displayname are malformend. Unix charset in smb.conf is set to ISO8859-1. Any hint how to correct this? Regards S.Drees -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc vampire, profiles, SIDs oh my!
Ok. I am trying to net rpc vampire from my current AD domain into a ldapsam password backend so I can get the user SID to preserve profiles. I am aware that HKEY_USERS holds that SID as well. In my test environment, the SID for userA in the AD domain when taken from HKEY_USERS and put into userA's ldap entry as sambaSID preserves the profile correctly, also the last digits of the SID for userA are 1007. That same userA has a SID ending in 3018 when pulled from AD using net rpc vampire. My question is this, is net rpc vampire not the way I need to go about getting the correct user SIDs from the current domain's users? I have 100+ users, and it would be nice to avoid looking at each user's HKEY_USER to get their SIDs. I hope this is clear, and thanks for your time thoughts. Brad -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc vampire command and Domain Local Groups
Hello, I think I spotted an inconsistency between net rpc vampire and the rest of the Samba suite with regard to creation of domain local-groups. By looking at the source code I can see that during a netvampire the creation of local-groups follows the same process used for global-groups. Specifically, netvampire gets the necessary gid by running the add group script. See file source/utils/net_rpc_samsync.c, function fetch_alias_info. The above behavior seems to be inconsistent with what is done by smbd when it has to create a local-group, because smbd gets the necessary gid from winbindd. See file source/groupdb/mapping.c, function pdb_default_create_alias. The end results seem to be at least that: 1. gids for local-groups are allocated from different ranges depending on which program creates them. 2. local-groups created by netvampire most probably get stored also as posix groups, as this is what add-group-scripts usually do. Unless I got something wrong, of course... :-) Cheers, Luca -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc group members timeout
Hello, Occasionally when I perform net rpc group members (group a), I get a timeout. When I do net rpc group members (group b), I always get a timeout. I get the following error: [2007/01/05 16:36:18, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine 127.0.0.1 pipe \samr fnum 0x72cdreturned critical error. Error was Call timed out: server did not respond after 1 milliseconds [2007/01/05 16:36:18, 0] libsmb/clientgen.c:cli_rpc_pipe_close(375) cli_rpc_pipe_close: cli_close failed on pipe \samr, fnum 0x72cd to machine 127.0.0.1. Error was Call timed out: server did not respond after 1 milliseconds Everything looks appropriate when looking at net groupmap list. We are using NIS (I have begun a phased transition to LDAP and Kerberos), and NIS sometimes times out. Still, I overrode nsswitch and PAM to use LDAP and Kerberos respectively and no NIS, but this only marginally helps things. Can this timeout be raised? Is there some other underlying problem? We are using NSCD. There are a lot of user accounts. I have seen this problem discussed elsewhere, but nobody has proffered any solutions. Version: 3.0.22-1ubuntu3.1 Here's a copy of the Samba configuration: [global] netbios name = COPPER workgroup = blah server string = %h via SAMBA # passdb backend = smbpasswd passdb backend = tdbsam:/var/lib/samba/passdb.tdb security = user username map = /etc/samba/smbusers name resolve order = wins bcast hosts lmhosts wins support = yes domain master = yes local master = yes domain logons = yes preferred master = yes os level = 255 printcap = cups printing = cups load printers = yes #logon drive = H: logon script = logon.bat logon path = #logon path = \\%N\profile\%U #logon home = \\%L\ #log level = 0 printdrivers:10 rpc_srv:10 rpc_cli:10 smb:10 #log level = 0 smb:10 passdb:10 tbd:10 lanman:10 acls:10 log level = 10 log file = /var/log/samba/log.%m debug timestamp = yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 deadtime = 120 time server = yes hide dot files = yes hide unreadable = yes guest ok = no guest account = nobody admin users = @newadm #domain admin group = @newadm #domain admin users = root encrypt passwords = yes null passwords = yes #unix password sync = yes #passwd program = /usr/bin/yppasswd %u #passwd chat = *old\spassword:* %o\n *new\spassword:** %n\n *new\spassword:** %n *changed* . #obey pam restrictions = yes unix charset = ISO8859-1 add machine script = /var/lib/samba/scripts/smb-add-machine %u map to guest = nobody preserve case = yes short preserve case = yes #All blah subnets should be enumerated here. #remote announce = 128.101.10.252/NT_blah 192.168.116.192/NT_blah enable privileges = yes printer admin = blah\Domain Admins # Experimental # These settings should either be inverted to the formerly noted defaults # or removed entirely. strict locking = no # Was no kernel oplocks = no # Was no oplocks = no # Was unset locking = no [printers] comment = All Printers browseable = no path = /tmp printable = yes public = yes writeable = no create mode = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes writeable = no public = yes write list = root, @newadm [netlogon] comment = Remote Login path = /var/lib/samba/netlogon writeable = no browseable = no admin users = root, @newadm write list = root, @newadm #[profile] # comment = Roaming Profiles # path = /var/lib/samba/profiles # create mode = 0600 # directory mode = 0700 # writable = yes # default case = lower # preserve case = no # short preserve case = no # case sensitive = no # #write list = root @blah # csc policy = disable # browseable = no # force user = %U # #profile acls = yes # #valid users = %U@Domain Admins [homes] comment = UNIX Home Directory volume = %u browseable = no writeable = yes guest ok = no inherit permissions = yes #valid users = root @blah valid users = %S invalid users = guest nobody create mask = 0644 directory mask = 0755 public = no locking = no [staff] comment = blah Staff Files --- Privileged volume = Staff browseable = no path = /srv/staff public = no writeable = yes create mask = 0770 directory mask = 2770 force group = +newstaff valid users = @newstaff [accounting] comment = blah Accounting Files --- Privileged volume = Accounting browseable = no path = /srv/accounting public = no writeable = yes create mask = 0770 directory mask = 2770 force group = +blah_acct valid users = @blah_acct [software] comment = Shared Software --- Privileged volume = Software browseable = no path = /srv/software public = no writeable = yes create mask = 0770 directory mask = 2770 force group = +blah_main valid users = root administrator @blah_main
Re: [Samba] net rpc password?
Do you use the -U parameter and the -S parameter? If you don't it will try to connect to localhost using your unix user. 18 okt 2006 kl. 03:30 skrev Chuck Kollars: When I try to execute `net rpc group` it asks Password:, then no matter what I enter it's always wrong. (I suspect this means I skipped a whole section of installation I shouldn't have.) So far I haven't found an answer in the HOWTO; I must be looking in the wrong spot. Where _should_ I start looking? thanks! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc password?
On Tue, Oct 17, 2006 at 06:30:08PM -0700, Chuck Kollars wrote: When I try to execute `net rpc group` it asks Password:, then no matter what I enter it's always wrong. Try the -U option to tell net what user you want to authenticate as. Volker pgpzkqZhJvzK9.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
