Issue with Samba

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > Haus of Tech Support > Issue with Samba

McPhearson: Aug 4, 2007; Hot Damn!

Problem description: I'm following the Setting up a share using Windows ACLs guide, but when I reach the section "Granting the SeDiskOperatorPrivilege Privilege" I get:

code:

[root@SERVER ~]# net rpc rights grant 'domain\Domain Admins' SeDiskOperatorPrivilege -U'domain\administrator'
Enter domain\administrator's password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] 81 8D EE 34 E2 D5 68 7A   47 F3 DF 95 9C 57 E0 77   ...4..hz G....W.w
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_ACCESS_DENIED

my current smb.conf is:

code:

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
        workgroup = domain
        netbios name = servername
        security = user
        username map = /etc/samba/user.map
        map to guest = Bad User
        log file = /var/log/samba/%m.log
        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

Attempted fixes:

Creating a user mapping file called user.map in /etc/samba with "!root: domain\Administrator domain\administrator" and adding "username map = /etc/samba/user.map" to smb.conf.
Adding the lines "bind interfaces only = yes" and "interfaces = lo eth0" to smb.conf.
Using different domain admin accounts on the -U flag
Specifying "bind interfaces only = no" in smb.conf

Recent changes: This is a freshly spun up VM of CentOS 7.

--

Operating system: CentOS 7 x64 with KDE.

System specs: VM in Hyper-V assigned 1 CPU, 4GB RAM, and 100GB storage.

Location: US

I have Googled and read the FAQ: Yes

# ? Apr 2, 2019 16:53

Adbot: ADBOT LOVES YOU

# ? May 3, 2024 13:46

zharmad: Feb 9, 2010

Are you setting this up as a standalone server or have you joined a AD Domain, are you using the server as an AD DC or are you trying to use this as a NT4 PDC?

# ? Apr 2, 2019 18:42

McPhearson: Aug 4, 2007; Hot Damn!

This is a server joined to an AD domain. I can use getent to get users and groups from the DC, and I can log onto the server using domain credentials so I believe that part is working correctly.

# ? Apr 2, 2019 18:48

zharmad: Feb 9, 2010

McPhearson posted:

This is a server joined to an AD domain. I can use getent to get users and groups from the DC, and I can log onto the server using domain credentials so I believe that part is working correctly.

You're not contacting a DC to authenticate for the rights grant, net rpc is trying to authenticate against the local system

Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_ACCESS_DENIED

For the NET command try adding -w|--workgroup target-workgroup which Sets target workgroup or domain. You have to specify either this option or the IP address or the name of a server.

You may have to add a realm=your.kerberos.REALM, security=ADS, and possibly password server = your.kerberos.server to specify what server to authenticate against in smb.conf.

# ? Apr 2, 2019 19:04

McPhearson: Aug 4, 2007; Hot Damn!

zharmad posted:

You may have to add a realm=your.kerberos.REALM, security=ADS, and possibly password server = your.kerberos.server to specify what server to authenticate against in smb.conf.

This was it! Adding that gave me a different error message: Failed to grant privileges for DOMAIN\Domain Admins (NT_STATUS_ACCESS_DENIED)
That led me to some Googling and apparently instead of net rpc rights grant, I should have been using net sam rights grant. Now I have samba shares that can be managed with windows ACL's! Thank you!

# ? Apr 2, 2019 20:11

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > Haus of Tech Support > Issue with Samba