net rpc rights grant could not connect to server 127.0.0.1

Hello All!
How are you?

I am configuring AD-DC and other machine AD Member file server the both on oracle VM and following official samba wiki.
At AD-DC side seems all ok and working
At AD Member file server side all going ok, only not here:

Setting up a Share Using Windows ACLs
After this part and the command:


net rpc rights grant "MYDOMAIN\Unix Admins" SeDiskOperatorPrivilege -U "MYDOMAIN\administrator"
Enter MYDOMAIN\administrator's password:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_CONNECTION_REFUSED

I created Unix Admins group in Windows RSAT, give it gidNUMBER (unix attributes) put it at Member Domain Admins and Administrator.

I am talking with samba mailing list to try solve it but, still nothing

I did start config many times from zero.

Someone any idea, light, miracle. help, please!

Thank you so much!

Douglas

I assume the link you posted are the SAMBA Wiki instructions you are following and not anything else.

For starters…
I recommend you test your network interface, not your localhost interface.
The two interfaces are completely separate and rules can be applied to one and not the other so if your objective is to serve remote machines you should be doing all your setup and testing on your network interface.

Without your smb.cof, can’t know what you actually set up.

You might also want to take a look at the official LEAP documentation regarding SAMBA, it shouldn’t be very different than what you’ve already done but the LEAP documentation will be specific to how openSUSE sets things up.

https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha-samba.html

Note that there are YaST modules you can install to assist setting up AD (although you say you’ve been able to set that up) and configuring network shares which can make those tasks easy to set up and manage.

HTH,
TSU

Hello!

Here is my smb.conf from **AD-DC **
only to say that the package from ad-dc side is fromhere


[global]
    bind interfaces only = Yes
    dns forwarder = 200.X.X.X 10.1.1.21
    interfaces = lo eth0
    netbios name = DCLINUX
    realm = AD.MYDOMAIN.BR
    server role = active directory domain controller
    workgroup = MYDOMAIN
    idmap_ldb:use rfc2307 = yes

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

[netlogon]
    path = /var/lib/samba/sysvol/ad.prefprude.br/scripts
    read only = No

samba-ad-dc service runing




● samba-ad-dc.service - Samba Active Directory Domain Controller
   Loaded: loaded (/usr/lib/systemd/system/samba-ad-dc.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-07-18 16:38:58 -03; 50min ago
 Main PID: 1745 (samba)
    Tasks: 55
   CGroup: /system.slice/samba-ad-dc.service
           ├─1745 /usr/sbin/samba -D
           ├─1829 /usr/sbin/samba -D
           ├─1830 /usr/sbin/samba -D
           ├─1831 /usr/sbin/samba -D
           ├─1832 /usr/sbin/samba -D
           ├─1833 /usr/sbin/samba -D
           ├─1834 /usr/sbin/samba -D
           ├─1835 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─1836 /usr/sbin/samba -D
           ├─1837 /usr/sbin/samba -D
           ├─1838 /usr/sbin/samba -D
           ├─1839 /usr/sbin/samba -D
           ├─1840 /usr/sbin/samba -D
           ├─1841 /usr/sbin/samba -D
           ├─1842 /usr/sbin/samba -D
           ├─1843 /usr/sbin/samba -D
           ├─1844 /usr/sbin/samba -D
           ├─1845 /usr/sbin/samba -D
           ├─1846 /usr/sbin/samba -D
           ├─1847 /usr/sbin/samba -D
           ├─1848 /usr/sbin/samba -D
           ├─1849 /usr/sbin/samba -D
           ├─1850 /usr/sbin/samba -D
           ├─1851 /usr/sbin/samba -D
           ├─1852 /usr/sbin/samba -D
            ├─1853 /usr/sbin/samba -D
           ├─1854 /usr/sbin/samba -D
           ├─1855 /usr/sbin/samba -D
           ├─1856 /usr/sbin/samba -D
           ├─1857 /usr/lib/mit/sbin/krb5kdc -n
           ├─1858 /usr/sbin/samba -D
           ├─1859 /usr/sbin/samba -D
           ├─1860 /usr/sbin/samba -D
           ├─1861 /usr/sbin/samba -D
           ├─1862 /usr/sbin/samba -D
           ├─1863 /usr/sbin/samba -D
           ├─1864 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
           ├─1865 /usr/sbin/samba -D
           ├─1866 /usr/sbin/samba -D
           ├─1867 /usr/sbin/samba -D
           ├─1868 /usr/sbin/samba -D
           ├─1916 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─1917 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─1918 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           ├─1944 /usr/sbin/samba -D
           ├─1945 /usr/sbin/samba -D
           ├─1946 /usr/sbin/samba -D
           ├─1947 /usr/sbin/samba -D
           ├─1948 /usr/sbin/samba -D
           ├─1949 /usr/sbin/samba -D
           ├─1950 /usr/sbin/samba -D
           ├─1951 /usr/sbin/samba -D
           ├─1983 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
           ├─1984 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
           └─2013 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Jul 18 17:28:59 dclinux samba[1866]: [2020/07/18 17:28:59.425897,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Jul 18 17:28:59 dclinux samba[1866]:   /usr/sbin/samba_dnsupdate: Traceback (most recent call last):
Jul 18 17:28:59 dclinux samba[1866]: [2020/07/18 17:28:59.427093,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Jul 18 17:28:59 dclinux samba[1866]:   /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 56, in <module>
Jul 18 17:28:59 dclinux samba[1866]: [2020/07/18 17:28:59.427834,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Jul 18 17:28:59 dclinux samba[1866]:   /usr/sbin/samba_dnsupdate:     import dns.resolver
Jul 18 17:28:59 dclinux samba[1866]: [2020/07/18 17:28:59.428442,  0] ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
Jul 18 17:28:59 dclinux samba[1866]:   /usr/sbin/samba_dnsupdate: ModuleNotFoundError: No module named 'dns'
Jul 18 17:28:59 dclinux samba[1866]: [2020/07/18 17:28:59.445924,  0] ../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_do>
Jul 18 17:28:59 dclinux samba[1866]:   dnsupdate_nameupdate_done: Failed DNS update with exit code 1
lines 42-72/72 (END)


Firewall TCP and UDP ports open: (ports from samba-ad-dc)



firewall-cmd --list-all
**public (active)**
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  **services: ssh dhcpv6-client ntp
  ports: 135/tcp 88/tcp 139/tcp 445/tcp 464/tcp 636/tcp 3268/tcp 3269/tcp 49152-65535/tcp 53/tcp 389/tcp 135/udp 88/udp 139/udp 445/udp 123/udp 137/udp 138/udp 464/udp 53/udp 389/udp 636/udp 3268/udp 3269/udp**
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


IP ad - AD-DC


ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
**2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:93:d2:51 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.21/24 brd 10.1.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe93:d251/64 scope link 
       valid_lft forever preferred_lft forever**


Now my smb.conf from AD Member domain file server



testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    log file = /var/log/samba/%m.log
    realm = AD.MYDOMAIN.BR
    security = ADS
    template homedir = /home/%U
    template shell = /bin/bash
    username map = /etc/samba/map/user.map
    winbind refresh tickets = Yes
    winbind use default domain = Yes
    workgroup = MYDOMAIN
    idmap config mydomain:unix_primary_group = yes
    idmap config mydomain:unix_nss_info = yes
    idmap config mydomain:range = 10000-999999
    idmap config mydomain:schema_mode = rfc2307
    idmap config mydomain:backend = ad
    idmap config * : range = 3000-7999
    idmap config * : backend = tdb
    map acl inherit = Yes
    vfs objects = acl_xattr

Joined to AD-DC


net ads join -U administrator
Enter administrator's password:
Using short domain name -- MYDOMAIN
Joined 'ADFILE' to dns domain 'ad.mydomain.br'


Firewall from AD Member


firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


And still



net rpc rights grant "MYDOMAIN\Unix Admins" SeDiskOperatorPrivilege -U "MYDOMAIN\administrator"
Enter MYDOMAIN\administrator's password:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_CONNECTION_REFUSED

Thanks attention and Help

It’s been awhile since I’ve set up a Linux DC,
But IIRC after joining to an AD Domain,
You should open up the AD tools (Windows) (likely AD Administrative Center) running from another machine in the Domain and verify the new DC shows up and its objects display without a problem.

A hint about your problem is that your credentials are refused.
That suggests that input to your logon service (or whatever it’s called exactly) was accepted and then was actively denied.
If I were to guess…
Since your SAMBA has been granted the role of a DC, the credentials lookup was to a location on the local machine which might fail if you haven’t replicated the Domain Users to this machine yet.

You might try removing the DC role (or re-building, whichever is easier) and trying to logon using Domain credentials which would force a lookup from a remote DC. If that works, then add the DC role and force replication. Keep in mind AFAIK there has always been a corner scenario defect in SAMBA 4 regarding DC replication (I’d have to look up the details to refresh what the problem is) but IIRC it is a rare problem in Domains with only a few DC.

TSU

Hello!
How are you?

Some information about our place network:
We have Pfsense - Wan static IP (200.x.x.x) - Lan Static IP (10.x.x.x)
Network no DHCP

I believe there is not problem to see some objects. The problem is manage other PC (AD Member file server) that does not connect and show the share to manage the object.

I created an user and group on Windows RSAT
Here the group

and getent result:
getent group “PREFPRUDE\Unix Admins”
unix admins:x:10002:

And Herethe user: tattu also from RSAT
and getent result
**getent passwd PREFPRUDE\ atu
tatu:*:10003:10003::/home/tatu:/bin/bash

**Until now I am stop here and searching some solution!

Thank you attention and help