Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[Software]

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
michaelf
Posts: 4
Joined: 2023-01-25 09:58
Been thanked: 1 time

[Software]

#1 Post by michaelf »

Hello!

After following the guide on this page - https://wiki.samba.org/index.php/Settin ... ain_Member - I have successfully added my Debian 11 server to my Windows 2022 domain.

The next stage should be the following article: https://wiki.samba.org/index.php/Settin ... ndows_ACLs
...but I had to stop at the first step:

"net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator"" - this command as well as

"net rpc rights list" produces this error:

Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_ACCESS_DENIED

I do see plenty of these errors on various forums but the only solution I've seen so far is to configure user mapping for a domain administrator's account which I had already done while following Setting_up_Samba_as_a_Domain_Member.

Would anyone please tell me what can I do in this situation (I hadn't had any issues with the tests from the Setting_up_Samba_as_a_Domain_Member page - all worked exactly as it was expected)?

There's one more thing here that I find strange: when issuing (for example) the "net rpc rights list" command OS asks me of the current user's password (testuser, for example), even when I'm working as root (by su) - what's the purpose of asking the password of non-privileged user if I'm currently the root?

Thank you in advance,
Michael
Last edited by michaelf on 2023-01-25 13:00, edited 1 time in total.

User avatar
kent_dorfman766
Posts: 529
Joined: 2022-12-16 06:34
Location: socialist states of america
Has thanked: 56 times
Been thanked: 69 times

Re: [Software]

#2 Post by kent_dorfman766 »

So, to understand more clearly, are you a domain aministrator on the windoze side? I "think" that is required for adding a machine to the domain...but then windows policies give me a headache. LUCK!

michaelf
Posts: 4
Joined: 2023-01-25 09:58
Been thanked: 1 time

Re: [Software]

#3 Post by michaelf »

Yes, of course, and the server was added to the domain without any issue.

michaelf
Posts: 4
Joined: 2023-01-25 09:58
Been thanked: 1 time

Re: [Software]

#4 Post by michaelf »

P.S. As far as I get it the problem may sterm from non-working mapping: when I issue the command (net rpc...) I see this in the log:
{"timestamp": "2023-01-25T13:42:46.036674+0300", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "85c260932f85c92a", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress": "unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH, nss_winbind, 19527", "clientDomain": "CONTOSO", "clientAccount": "entadmin", "workstation": "DEBIANG", "becameAccount": "entadmin", "becameDomain": "CONTOSO", "becameSid": "S-1-5-21-2019559196-2031714313-68946242-1103", "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 2274}}
Although CONTOSO\entadmin does get authenticated (NT_STATUS_OK), the mapping does not work (mappedAcount:null).

If I'm correct then it's rather strange because my mapping file contains the single line...

!root = CONTOSO\entadmin

... - exactly as in the article so I have no idea why it does not work :(

michaelf
Posts: 4
Joined: 2023-01-25 09:58
Been thanked: 1 time

Re: [Software]

#5 Post by michaelf »

I was wrong: that was nothing to do with mapping: the problem is solved by adding to smb.conf the following line:

min domain uid = 0

as described here:
https://askubuntu.com/questions/1419967 ... d-token%20!!!

The question that remains is why does Samba's WIKI article not mention this line if it can't operate properly without it (at least on some servers).

Regards,
Michael

CwF
Global Moderator
Global Moderator
Posts: 2625
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 190 times

Re: [Software]

#6 Post by CwF »

michaelf wrote: 2023-01-25 14:40 The question that remains is why does Samba's WIKI article not mention this line if it can't operate properly without it (at least on some servers).
Because generally speaking root should not be allowed and not needed.

User avatar
kent_dorfman766
Posts: 529
Joined: 2022-12-16 06:34
Location: socialist states of america
Has thanked: 56 times
Been thanked: 69 times

Re: [Software]

#7 Post by kent_dorfman766 »

Because generally speaking root should not be allowed and not needed.

rolls eyes and sighs...

Post Reply