Results 1 to 5 of 5

Thread: net rpc rights grant could not connect to server 127.0.0.1

  1. #1
    Join Date
    Oct 2014
    Location
    Brazil
    Posts
    88

    Default net rpc rights grant could not connect to server 127.0.0.1

    Hello All!
    How are you?

    I am configuring AD-DC and other machine AD Member file server the both on oracle VM and following official samba wiki.
    At AD-DC side seems all ok and working
    At AD Member file server side all going ok, only not here:

    Setting up a Share Using Windows ACLs

    After this part and the command:
    Code:
    net rpc rights grant "MYDOMAIN\Unix Admins" SeDiskOperatorPrivilege -U "MYDOMAIN\administrator"
    Enter MYDOMAIN\administrator's password:
    Could not connect to server 127.0.0.1
    Connection failed: NT_STATUS_CONNECTION_REFUSED
    I created Unix Admins group in Windows RSAT, give it gidNUMBER (unix attributes) put it at Member Domain Admins and Administrator.

    I am talking with samba mailing list to try solve it but, still nothing

    I did start config many times from zero.

    Someone any idea, light, miracle. help, please!

    Thank you so much!

    Douglas

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: net rpc rights grant could not connect to server 127.0.0.1

    I assume the link you posted are the SAMBA Wiki instructions you are following and not anything else.

    For starters...
    I recommend you test your network interface, not your localhost interface.
    The two interfaces are completely separate and rules can be applied to one and not the other so if your objective is to serve remote machines you should be doing all your setup and testing on your network interface.

    Without your smb.cof, can't know what you actually set up.

    You might also want to take a look at the official LEAP documentation regarding SAMBA, it shouldn't be very different than what you've already done but the LEAP documentation will be specific to how openSUSE sets things up.

    https://doc.opensuse.org/documentati...cha-samba.html

    Note that there are YaST modules you can install to assist setting up AD (although you say you've been able to set that up) and configuring network shares which can make those tasks easy to set up and manage.

    HTH,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3
    Join Date
    Oct 2014
    Location
    Brazil
    Posts
    88

    Unhappy Re: net rpc rights grant could not connect to server 127.0.0.1

    Quote Originally Posted by tsu2 View Post
    I assume the link you posted are the SAMBA Wiki instructions you are following and not anything else.

    For starters...
    I recommend you test your network interface, not your localhost interface.
    The two interfaces are completely separate and rules can be applied to one and not the other so if your objective is to serve remote machines you should be doing all your setup and testing on your network interface.

    Without your smb.cof, can't know what you actually set up.

    You might also want to take a look at the official LEAP documentation regarding SAMBA, it shouldn't be very different than what you've already done but the LEAP documentation will be specific to how openSUSE sets things up.

    https://doc.opensuse.org/documentati...cha-samba.html

    Note that there are YaST modules you can install to assist setting up AD (although you say you've been able to set that up) and configuring network shares which can make those tasks easy to set up and manage.

    HTH,
    TSU

    Hello!

    Here is my smb.conf from AD-DC
    only to say that the package from ad-dc side is from here


    Code:
    [global]
        bind interfaces only = Yes
        dns forwarder = 200.X.X.X 10.1.1.21
        interfaces = lo eth0
        netbios name = DCLINUX
        realm = AD.MYDOMAIN.BR
        server role = active directory domain controller
        workgroup = MYDOMAIN
        idmap_ldb:use rfc2307 = yes
    
    [sysvol]
        path = /var/lib/samba/sysvol
        read only = No
    
    [netlogon]
        path = /var/lib/samba/sysvol/ad.prefprude.br/scripts
        read only = No
    samba-ad-dc service runing

    Code:
    
    ● samba-ad-dc.service - Samba Active Directory Domain Controller
       Loaded: loaded (/usr/lib/systemd/system/samba-ad-dc.service; enabled; vendor preset: disabled)
       Active: active (running) since Sat 2020-07-18 16:38:58 -03; 50min ago
     Main PID: 1745 (samba)
        Tasks: 55
       CGroup: /system.slice/samba-ad-dc.service
               ├─1745 /usr/sbin/samba -D
               ├─1829 /usr/sbin/samba -D
               ├─1830 /usr/sbin/samba -D
               ├─1831 /usr/sbin/samba -D
               ├─1832 /usr/sbin/samba -D
               ├─1833 /usr/sbin/samba -D
               ├─1834 /usr/sbin/samba -D
               ├─1835 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
               ├─1836 /usr/sbin/samba -D
               ├─1837 /usr/sbin/samba -D
               ├─1838 /usr/sbin/samba -D
               ├─1839 /usr/sbin/samba -D
               ├─1840 /usr/sbin/samba -D
               ├─1841 /usr/sbin/samba -D
               ├─1842 /usr/sbin/samba -D
               ├─1843 /usr/sbin/samba -D
               ├─1844 /usr/sbin/samba -D
               ├─1845 /usr/sbin/samba -D
               ├─1846 /usr/sbin/samba -D
               ├─1847 /usr/sbin/samba -D
               ├─1848 /usr/sbin/samba -D
               ├─1849 /usr/sbin/samba -D
               ├─1850 /usr/sbin/samba -D
               ├─1851 /usr/sbin/samba -D
               ├─1852 /usr/sbin/samba -D
                ├─1853 /usr/sbin/samba -D
               ├─1854 /usr/sbin/samba -D
               ├─1855 /usr/sbin/samba -D
               ├─1856 /usr/sbin/samba -D
               ├─1857 /usr/lib/mit/sbin/krb5kdc -n
               ├─1858 /usr/sbin/samba -D
               ├─1859 /usr/sbin/samba -D
               ├─1860 /usr/sbin/samba -D
               ├─1861 /usr/sbin/samba -D
               ├─1862 /usr/sbin/samba -D
               ├─1863 /usr/sbin/samba -D
               ├─1864 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
               ├─1865 /usr/sbin/samba -D
               ├─1866 /usr/sbin/samba -D
               ├─1867 /usr/sbin/samba -D
               ├─1868 /usr/sbin/samba -D
               ├─1916 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
               ├─1917 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
               ├─1918 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
               ├─1944 /usr/sbin/samba -D
               ├─1945 /usr/sbin/samba -D
               ├─1946 /usr/sbin/samba -D
               ├─1947 /usr/sbin/samba -D
               ├─1948 /usr/sbin/samba -D
               ├─1949 /usr/sbin/samba -D
               ├─1950 /usr/sbin/samba -D
               ├─1951 /usr/sbin/samba -D
               ├─1983 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
               ├─1984 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
               └─2013 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
    Jul 18 17:28:59 dclinux samba[1866]: [2020/07/18 17:28:59.425897,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
    Jul 18 17:28:59 dclinux samba[1866]:   /usr/sbin/samba_dnsupdate: Traceback (most recent call last):
    Jul 18 17:28:59 dclinux samba[1866]: [2020/07/18 17:28:59.427093,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
    Jul 18 17:28:59 dclinux samba[1866]:   /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 56, in <module>
    Jul 18 17:28:59 dclinux samba[1866]: [2020/07/18 17:28:59.427834,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
    Jul 18 17:28:59 dclinux samba[1866]:   /usr/sbin/samba_dnsupdate:     import dns.resolver
    Jul 18 17:28:59 dclinux samba[1866]: [2020/07/18 17:28:59.428442,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
    Jul 18 17:28:59 dclinux samba[1866]:   /usr/sbin/samba_dnsupdate: ModuleNotFoundError: No module named 'dns'
    Jul 18 17:28:59 dclinux samba[1866]: [2020/07/18 17:28:59.445924,  0] ../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_do>
    Jul 18 17:28:59 dclinux samba[1866]:   dnsupdate_nameupdate_done: Failed DNS update with exit code 1
    lines 42-72/72 (END)

    Firewall TCP and UDP ports open: (ports from samba-ad-dc)

    Code:
    firewall-cmd --list-all
    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: eth0
      sources: 
      services: ssh dhcpv6-client ntp
      ports: 135/tcp 88/tcp 139/tcp 445/tcp 464/tcp 636/tcp 3268/tcp 3269/tcp 49152-65535/tcp 53/tcp 389/tcp 135/udp 88/udp 139/udp 445/udp 123/udp 137/udp 138/udp 464/udp 53/udp 389/udp 636/udp 3268/udp 3269/udp
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules:

    IP ad - AD-DC

    Code:
    ip ad
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether 08:00:27:93:d2:51 brd ff:ff:ff:ff:ff:ff
        inet 10.1.1.21/24 brd 10.1.1.255 scope global eth0
           valid_lft forever preferred_lft forever
        inet6 fe80::a00:27ff:fe93:d251/64 scope link 
           valid_lft forever preferred_lft forever


    Now my smb.conf from AD Member domain file server


    Code:
    testparm
    Load smb config files from /etc/samba/smb.conf
    rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
    Loaded services file OK.
    Server role: ROLE_DOMAIN_MEMBER
    
    Press enter to see a dump of your service definitions
    
    # Global parameters
    [global]
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        log file = /var/log/samba/%m.log
        realm = AD.MYDOMAIN.BR
        security = ADS
        template homedir = /home/%U
        template shell = /bin/bash
        username map = /etc/samba/map/user.map
        winbind refresh tickets = Yes
        winbind use default domain = Yes
        workgroup = MYDOMAIN
        idmap config mydomain:unix_primary_group = yes
        idmap config mydomain:unix_nss_info = yes
        idmap config mydomain:range = 10000-999999
        idmap config mydomain:schema_mode = rfc2307
        idmap config mydomain:backend = ad
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        map acl inherit = Yes
        vfs objects = acl_xattr

    Joined to AD-DC

    Code:
    net ads join -U administrator
    Enter administrator's password:
    Using short domain name -- MYDOMAIN
    Joined 'ADFILE' to dns domain 'ad.mydomain.br'

    Firewall from AD Member

    Code:
    firewall-cmd --list-all
    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: eth0
      sources: 
      services: ssh dhcpv6-client
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules:
    And still

    Code:
    net rpc rights grant "MYDOMAIN\Unix Admins" SeDiskOperatorPrivilege -U "MYDOMAIN\administrator"
    Enter MYDOMAIN\administrator's password:
    Could not connect to server 127.0.0.1
    Connection failed: NT_STATUS_CONNECTION_REFUSED

    Thanks attention and Help

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: net rpc rights grant could not connect to server 127.0.0.1

    It's been awhile since I've set up a Linux DC,
    But IIRC after joining to an AD Domain,
    You should open up the AD tools (Windows) (likely AD Administrative Center) running from another machine in the Domain and verify the new DC shows up and its objects display without a problem.

    A hint about your problem is that your credentials are refused.
    That suggests that input to your logon service (or whatever it's called exactly) was accepted and then was actively denied.
    If I were to guess...
    Since your SAMBA has been granted the role of a DC, the credentials lookup was to a location on the local machine which might fail if you haven't replicated the Domain Users to this machine yet.

    You might try removing the DC role (or re-building, whichever is easier) and trying to logon using Domain credentials which would force a lookup from a remote DC. If that works, then add the DC role and force replication. Keep in mind AFAIK there has always been a corner scenario defect in SAMBA 4 regarding DC replication (I'd have to look up the details to refresh what the problem is) but IIRC it is a rare problem in Domains with only a few DC.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  5. #5
    Join Date
    Oct 2014
    Location
    Brazil
    Posts
    88

    Exclamation Re: net rpc rights grant could not connect to server 127.0.0.1

    Quote Originally Posted by tsu2 View Post
    It's been awhile since I've set up a Linux DC,
    But IIRC after joining to an AD Domain,
    You should open up the AD tools (Windows) (likely AD Administrative Center) running from another machine in the Domain and verify the new DC shows up and its objects display without a problem.

    A hint about your problem is that your credentials are refused.
    That suggests that input to your logon service (or whatever it's called exactly) was accepted and then was actively denied.
    If I were to guess...
    Since your SAMBA has been granted the role of a DC, the credentials lookup was to a location on the local machine which might fail if you haven't replicated the Domain Users to this machine yet.

    You might try removing the DC role (or re-building, whichever is easier) and trying to logon using Domain credentials which would force a lookup from a remote DC. If that works, then add the DC role and force replication. Keep in mind AFAIK there has always been a corner scenario defect in SAMBA 4 regarding DC replication (I'd have to look up the details to refresh what the problem is) but IIRC it is a rare problem in Domains with only a few DC.

    TSU
    Hello!
    How are you?

    Some information about our place network:
    We have Pfsense - Wan static IP (200.x.x.x) - Lan Static IP (10.x.x.x)
    Network no DHCP

    I believe there is not problem to see some objects. The problem is manage other PC (AD Member file server) that does not connect and show the share to manage the object.

    I created an user and group on Windows RSAT
    Here the group

    and getent result:
    getent group "PREFPRUDE\\Unix Admins"
    unix admins:x:10002:


    And Here the user: tattu also from RSAT
    and getent result
    getent passwd PREFPRUDE\\tatu
    tatu:*:10003:10003::/home/tatu:/bin/bash


    Until now I am stop here and searching some solution!

    Thank you attention and help

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •