[Samba] realmd and net rpc privileges

[Sebastian Gabler]

I am running a file server off OEL7.1, domain member in a Windows AD.
The machine was joined using realm join. Samba version is 4.1.12 from
the yum repo. I am using SSSD, so no winbind here.
net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege
-U'SAMDOM\administrator' does not work with the errors described in
https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting ,
but the solution does not work. I get the same errors when trying to
query the assigned privs.
However, I can set ownership and access from Windows even without the
SeDiskOperator. What am I missing?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[L.P.H. van Belle]

so tell us what are your errors?

It's hard to help without them.
Please post your smb.conf ( sanitized ) and your resolv.conf and hosts file.
and..
you can try the command :
net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -U'SAMDOM\administrator' -S servername.fqdn

greetz,

Louis



>-----Oorspronkelijk bericht-----
>Van: sequoi...@gmx.net
>[mailto:samba-...@lists.samba.org] Namens Sebastian Gabler
>Verzonden: woensdag 29 april 2015 12:46
>Aan: sa...@lists.samba.org
>Onderwerp: [Samba] realmd and net rpc privileges

[Sebastian Gabler]

Am 29.04.2015 um 12:58 schrieb L.P.H. van Belle:
> so tell us what are your errors?
>
> It's hard to help without them.
> Please post your smb.conf ( sanitized ) and your resolv.conf and hosts file.
> and..
> you can try the command :
> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -U'SAMDOM\administrator' -S servername.fqdn
>
> greetz,
>
> Louis

I am getting the error listed here:
https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting:

# net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege
-U'SAMDOM\administrator'
Enter SAMDOM\administrator's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

resolv.conf is automatically filled by Network Manager here (which gets
the settings from the DHCP server, which is the DC in my case)
hosts has no entries besides the localhost defaults for 'lo'
hostname returns the fqdn DNS resolsution and ntp sync are perefectly
fine. Domain users can log on, and get homes. (I don't care about that
too much, but it's nice to see it working.)

This is the testparm dump, with '#' comments:

[global]
realm = MYDOMAIN.LOCAL # here is the actual realm value
server string = Samba Server Version %v
security = ADS
username map = /etc/samba/user.map
kerberos method = system keytab
log file = /var/log/samba/log.%m
max log size = 50
load printers = No
printcap name = /dev/null
idmap config * : backend = tdb
map acl inherit = Yes
cups options = raw
vfs objects = acl_xattr

[Acls] # this is my test share
path = /srv/samba/acls/
read only = No
Looking at these, it comes to my attention that there is no idmap on
that machine (I mean, not as a deamon, not as a command). Could that be
part of the problem?
in the -S option above, does servername.fqdn refer to the DC or to the
local machine?
Also, was puzzled if the PW to enter is the root PW or the Domain Amdin
PW. I tried both, always.

Best,
Sebastian

[Rowland Penny]

On 29/04/15 13:10, Sebastian Gabler wrote:
> Am 29.04.2015 um 12:58 schrieb L.P.H. van Belle:
>> so tell us what are your errors?
>>
>> It's hard to help without them.
>> Please post your smb.conf ( sanitized ) and your resolv.conf and
>> hosts file.
>> and..
>> you can try the command :
>> net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege
>> -U'SAMDOM\administrator' -S servername.fqdn
>>
>> greetz,
>>
>> Louis
> I am getting the error listed here:
> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting:
>
> # net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege
> -U'SAMDOM\administrator'
> Enter SAMDOM\administrator's password:
> Could not connect to server 127.0.0.1
> The username or password was not correct.
> Connection failed: NT_STATUS_LOGON_FAILURE
>
> resolv.conf is automatically filled by Network Manager here (which
> gets the settings from the DHCP server, which is the DC in my case)

Yes, but what is in resolv.conf ??
Unless it contains something like this:

search <your AD dns domain>
nameserver <your AD DCs ipaddress>

it will probably never work.

> hosts has no entries besides the localhost defaults for 'lo'

Are you running your fileserver as a DHCP client ?

For the -S option, use the AD DC name, or you could use -I <AD DC ipaddress>

Rowland

[Sebastian Gabler]

There is something to add. Listing existing rights (any rights that is,
thus using the current, root, user) fails with the same problem:

# net rpc rights list
Enter root's password:

Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

I conclude of that net cannot authenticate at all for this purpose, and
the first step would be to solve that. The question is: How?

Br

Sebastian

[Rowland Penny]

You need to map root to Administrator, add this line to smb.conf:
username map = /etc/samba/user.map

Then create the map file, it is just one line:

!root = EXAMPLE\Administrator Administrator administrator

Change 'EXAMPLE' for your workgroup name.

Rowland

[L.P.H. van Belle]

Did you adjust your smb.conf already, so can you post your smb.conf again.
and content of /etc/samba/user.map

Greetz,

Louis


>-----Oorspronkelijk bericht-----
>Van: sequoi...@gmx.net
>[mailto:samba-...@lists.samba.org] Namens Sebastian Gabler

>Verzonden: donderdag 30 april 2015 10:06
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] realmd and net rpc privileges

[Harry Jede]

On 12:29:52 wrote Rowland Penny:

> You need to map root to Administrator, add this line to smb.conf:
> username map = /etc/samba/user.map
>
> Then create the map file, it is just one line:
>
> !root = EXAMPLE\Administrator Administrator administrator

Simply wrong! This maps the windows users to the unix user root.

> Change 'EXAMPLE' for your workgroup name.
>
> Rowland


--

Regards
Harry Jede

[Rowland Penny]

On 30/04/15 11:32, Harry Jede wrote:
> On 12:29:52 wrote Rowland Penny:
>> You need to map root to Administrator, add this line to smb.conf:
>> username map = /etc/samba/user.map
>>
>> Then create the map file, it is just one line:
>>
>> !root = EXAMPLE\Administrator Administrator administrator
> Simply wrong! This maps the windows users to the unix user root.
>
>> Change 'EXAMPLE' for your workgroup name.
>>
>> Rowland
>

If it is 'Simply wrong', why can I run the same command that the OP used
and expect it to work, but if I don't have the line in smb.conf, I get
the result the OP did.

Rowland

[Sebastian Gabler]

Thanks for the hints.

You may want to note that 'username map' is already in my conf, line 4
from the top of the global section. Content of the map file is "!root =
admini...@mydomain.local Administrator administrator" . The syntax
for the domain admin user follows the one suggested by realmd, that is
us...@domain.local.

That is, to my understanding I already did what you suggest, and said so
in my original message.

Not sure about 3 things:

1. why would authentication of net rpc fail against the local root user
on the local machine? Why does it even ask for the pasword anyhow when I
run it as root? That is, irrespective of any user maps, not making any
sense to me.
2. Where does the 'Workgroup\Administrator syntax you are suggesting
coming from? I am joined to a domain - how would this matter?
3. Not sure I mentioned it earlier, but: I can indeed change Ownership
of folders, ACLs and permissions from Windows as Domain Admin. What
doesn't work is creating new shares from Computer Administration
console, and change share ownership to other users from there.

Best regards,

Sebastian

[Sebastian Gabler]

Am 30.04.2015 um 12:32 schrieb Harry Jede:
> On 12:29:52 wrote Rowland Penny:
>> You need to map root to Administrator, add this line to smb.conf:
>> username map = /etc/samba/user.map
>>
>> Then create the map file, it is just one line:
>>
>> !root = EXAMPLE\Administrator Administrator administrator
> Simply wrong! This maps the windows users to the unix user root.
>
>

Not sure, but wasn't that what it should do? (Even if I stated that it
doesn't have the intended outcome for me...)

Do you have any other idea how to make the original problem work? Help
is still welcome.

Br

Sebastian

[Sebastian Gabler]

Solved. What was missing was the workgroup directive. My mistake. It's
mentioned here: https://wiki.samba.org/index.php
/Setup_a_Samba_AD_Member_Server

Wrong hint:
- '-S' option. The privilege is set on the local member machine, not
remote. Thus, the password of SAMDOM\Administrator is the mapped (root) pw.

Thanks anyways for the hints.

[Harry Jede]

On 09:13:40 wrote Rowland Penny:

> On 30/04/15 11:32, Harry Jede wrote:
> > On 12:29:52 wrote Rowland Penny:
> >> You need to map root to Administrator, add this line to smb.conf:
> >> username map = /etc/samba/user.map
> >>
> >> Then create the map file, it is just one line:
> >>
> >> !root = EXAMPLE\Administrator Administrator administrator
> >
> > Simply wrong! This maps the windows users to the unix user root.
> >
> >> Change 'EXAMPLE' for your workgroup name.
> >>
> >> Rowland
>
> If it is 'Simply wrong', why can I run the same command that the OP
> used and expect it to work, but if I don't have the line in
> smb.conf, I get the result the OP did.

The OP use a setup with sssd and realmd. I never used this software and
probably i will never use it. So i can not answer his question. By the
way, the OP is asking what the -S parameter is for. He should not ask
this, better read the man page, may be no time, may be too lazy.

Rowland, the mapping is done only in one direction. So
map root to administrator
or
map administrator to root
are diffent things and "user map" do the latter.

PS
searching the net for realmd may give answers

> Rowland


--

Regards
Harry Jede

[L.P.H. van Belle]

Hai,

>thus, the password of SAMDOM\Administrator is the
>mapped (root) pw.
No, not correct.
root has its password.
Administrator has it own password, even when mapped these are different.
these users just share the same uid 0 !

test with kinit Admini...@YOUR.REALM.TLD


and have a look here.

http://funwithlinux.net/2014/04/join-ubuntu-14-04-to-active-directory-domain-using-realmd/

make sure your /etc/hosts does NOT contain something like :

127.0.0.1 dc1.server.tld dc1
but
127.0.0.1 localhost localhost.localdomain
and only the real server ip with hostname in hosts

as extra info :
Avoid a lot of the problems can be resolved by adding this section (in addition to disabling automatic-install) in /etc/realmd.conf:

[my.domain.fqdn.here]
fully-qualified-names = no

Then I do:
kinit myu...@MY.DOMAIN.FQDN.HERE

and:
realm join my.domain.fqdn.here


optional if you cant join install package : packagekit


and this all said, if all of above works, and you did join the AD and your resolving is correct,
then net rpc rights list
should work fine.
if not, wel, then i dont know., i dont use sssd and realmd.

Greetz,

Louis


>-----Oorspronkelijk bericht-----
>Van: sequoi...@gmx.net
>[mailto:samba-...@lists.samba.org] Namens Sebastian Gabler

>Verzonden: vrijdag 1 mei 2015 0:22

>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] realmd and net rpc privileges
>
>
>

[a b]

Hi, too!

Am 01.05.2015 um 11:32 schrieb L.P.H. van Belle:
> Hai,
>
>> thus, the password of SAMDOM\Administrator is the
>> mapped (root) pw.
> No, not correct.
> root has its password.
> Administrator has it own password, even when mapped these are different.
> these users just share the same uid 0 !

Don't know. A minimal install of Samba, sssd on OEL7 doesn't include or
require krb5-workstation (which is how you get kinit), see at the end of
this post. I understand Administrator is a built-in account. I have
never created it, let alone assigned a PW. All I did which can figure is
related is assigning sambapasswd root, and the bespoke user.map. Remains
anemophily for the creation of the Administrator PW ;-)

>
> test with kinit Admini...@YOUR.REALM.TLD
>
>
> and have a look here.
>
> http://funwithlinux.net/2014/04/join-ubuntu-14-04-to-active-directory-domain-using-realmd/

This site treats a lot of problems I never had. And I don't see any
aspects that directly would contribute to this topic, sorry.

>
> make sure your /etc/hosts does NOT contain something like :
>
> 127.0.0.1 dc1.server.tld dc1

Not sure what this is aiming at.

> but
> 127.0.0.1 localhost localhost.localdomain
> and only the real server ip with hostname in hosts

The error was against the lo ip. Why would an entry to eth0 change
anything here?

>
> as extra info :
> Avoid a lot of the problems can be resolved by adding this section (in addition to disabling automatic-install) in /etc/realmd.conf:
>
> [my.domain.fqdn.here]

I don't understand the meaning of that syntax. Rest, see above comment.

> fully-qualified-names = no
>
> Then I do:
> kinit myu...@MY.DOMAIN.FQDN.HERE
>
> and:
> realm join my.domain.fqdn.here
>
>
> optional if you cant join install package : packagekit
>
>
> and this all said, if all of above works, and you did join the AD and your resolving is correct,
> then net rpc rights list
> should work fine.
> if not, wel, then i dont know., i dont use sssd and realmd.

To begin with, I am seeing my problem through realmd, exclusively. Maybe
you should try realm. I learned if you follow the HowTos that include a
manual setup of authconfig and sssd are tedious, and don't work
smoothly. The method I learned later and used now for joiningt the
domain is much easier, and most of the above is probably redundant, if
not harmful. In a nutshell, once you installed the required packages for
realmd and sssd, you can sync the member server to the right ntp, set up
DNS (in my case done by DHCP), and discover/join the domain. The scripts
that come with realmd set up the sssd.conf and configure/start sss
deamon. These are main functions of realmd. However, there seems to be a
gap when using Samba vs. the traditional methods that use winbind, and
that's why I am here. Winbindd and SSSD are mutually exclusive, as the
RHEL7 manual explains.

Best,

[Rowland Penny]

Perhaps you will get better help if you try using a mailing list for
realmd or sssd, neither of these two programs is supplied or supported
by samba.

Rowland

[Sebastian Gabler]

Am 01.05.2015 um 16:49 schrieb samba-...@lists.samba.org:
> By the
> way, the OP is asking what the -S parameter is for. He should not ask
> this, better read the man page, may be no time, may be too lazy.

No, the OP was not to lazy to read the man page. The OP does understand
what the -S parameter is for, but it was not clear if the value for the
parameters would have to point to the local machine or the DC. The
advice was ambiguous. He tried both in the meantime, and both didn't
work. Meanwhile he has also understood that the value should have
pointed to the local machine.
Conclusion: This was not the problem.

-S

[Sebastian Gabler]

Am 01.05.2015 um 16:49 schrieb samba-...@lists.samba.org:

> Perhaps you will get better help if you try using a mailing list for
> realmd or sssd, neither of these two programs is supplied or supported
> by samba.
>
> Rowland

You may have missed that the problem is solved meanwhile, and as I
stated above the error was with the Samba configuration, namely value of
the Workgroup param.
I can only say that realmd worked perfectly all the time.
In a different thread I found a good explanation about hosts file
config, and I will evaluate if that would solve the problem as well,
even with an empty Workgroup param.

BTW: What is that SAMDOM about? Is it a sample value, or is SAMDOM a
built-in facility with a fixed functionality? The memeber server howto
uses SAMDOM as Workgroup name, and the trouble-shooting howto uses it to
map the root user with Administrator.

[Rowland Penny]

On 02/05/15 19:35, Sebastian Gabler wrote:
> Am 01.05.2015 um 16:49 schrieb samba-...@lists.samba.org:
>> Perhaps you will get better help if you try using a mailing list for
>> realmd or sssd, neither of these two programs is supplied or supported
>> by samba.
>>
>> Rowland
>
> You may have missed that the problem is solved meanwhile, and as I
> stated above the error was with the Samba configuration, namely value
> of the Workgroup param.
> I can only say that realmd worked perfectly all the time.
> In a different thread I found a good explanation about hosts file
> config, and I will evaluate if that would solve the problem as well,
> even with an empty Workgroup param.
>
> BTW: What is that SAMDOM about? Is it a sample value, or is SAMDOM a
> built-in facility with a fixed functionality? The memeber server howto
> uses SAMDOM as Workgroup name, and the trouble-shooting howto uses it
> to map the root user with Administrator.
>
> -S

Did you miss this:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Server_information


Rowland

[Sebastian Gabler]

Am 01.05.2015 um 16:49 schrieb samba-...@lists.samba.org:

> why... uhmm if im correct..
>
> i'll try to explain. . my english is not that good..;-)
>
> Your kerberos request => Resolving => resolving order, ( hosts files => DNS )

I have done a bit of research on that matter, and the result is the
following:

Assuming your system is using nsswitch (most current systems will), the
name resolution methods and priority are defined in nsswitch.conf. The
services and order are configurable.

The default on my OEL7.1 box is:

hosts: files dns
# this would indeed look into /etc/hosts, and only look in dns if no
entry is found in hosts file

Actually, that means that you need no entry but the pointers for lo in
hosts, given you have an available dns.

Nothing would prevent you from reverting the lookup order to
hosts: dns files, either.

BR

Sebastian