Ubuntu
ubuntu-docs package

samba pdc setup fails on net rpc rights grant

Bug #591272 reported by Klaus Hartnegg
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
ubuntu-docs (Ubuntu)
Fix Released
Undecided
Adam Sommer

Bug Description

Binary package hint: ubuntu-docs

The server guide says that setting up samba as pdc requires the command

net rpc rights grant "EXAMPLE\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege

but this doesn't work if done exactly like documented, because:

1: This command can not be issued before restarting samba, because at this time the domain does not yet exist.

2: One must use the -U option to specify a userid, otherwise it will prompt for the passwort of root, which does not exist.

3: Before issuing this command, one must do 'smbpasswd -a' for the userid to be used. I thought that libpam-smbpass would take care of this and make the linux passwords available to samba, but that doesn't seem to work.

4: this command is another example of a truncations in the pdf variant of the manual, as I already wrote in another bug report (590519).

See original description
Tags: serverguide
Revision history for this message
Klaus Hartnegg (hartnegg) wrote :

Hi,

These changes would fix this bug:

The command "net rpc rights grant ..." and the sentence before it should be moved from step 3 to step 7 (offtopic note: I think that the note "if you wish to not use roaming profiles ..." should be moved up within step 3).

The option -U must be inserted (e.g. net -U user rpc rights grant ...) with "user" replaced with a username with sufficient rights (and a samba password already set).

Step 1 should note that libpam-smbpass will transfer a unix password to samba only when that user logs in to linux the first time (at least that's the info that I found somewhere). If your users don't log in to linux, only to samba, then you must set the samba passwords manually with smbpasswd -a. This includes the user specified in the command "net user rpc rights grant" and the user used to join client machines into the domain.

The note in step 7 should include a reminder to make sure that the user has a samba password, either by logging in to linux once or by entering it with smbpasswd -a.

best regards,
Klaus

Klaus Hartnegg (hartnegg)
description: updated
Matthew East (mdke)
tags: added: serverguide
Revision history for this message
Adam Sommer (asommer) wrote :

Thanks Klaus for reporting this bug, and helping make Ubuntu better. I've adjusted the ordering as you've suggested, and added a note about using the smbpasswd utility in revision 552.

Thanks again for your feedback.

Changed in ubuntu-docs (Ubuntu):
assignee: nobody → Adam Sommer (asommer)
status: New → Fix Committed
Revision history for this message
Michael McHugh (mjmchugh120) wrote :

I experienced the problem described here.

I am trying to setup a Samba file server as the Primary Domain Controller in my little 5 Windows PC network. I don't really want to setup any kind of a Windows Domain Controller. I just need the Windows clients to be able to access the file shares on the Ubuntu 10.10 file server, fairly transparently. I want them to be able to browse for the share, and I want them to be able to change their passwords from their Windows desktops when they login as part of the domain. I only want them to change their password once. They won't be logging in to the Linux server, at all. I don't want them to have to manually keep their passwords on Windows and on Linux synced up. That is why I am trying to setup the Linux Samba File Server as the Domain Controller. Then I will have the Windows users login to that domain when they login, not the local PC. Then they can browse for the file shares, and maybe even printers, without having to know anything about accounts on Linux.

I have tried what you described above and I still get an error message. A copy of my session is below.

mjmchugh@HPSERVER:/$ sudo smbpasswd -a mjmchugh
[sudo] password for mjmchugh:
New SMB password:
Retype new SMB password:
mjmchugh@HPSERVER:/$ net -U mjmchugh rpc rights grant "EXAMPLE\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
Enter mjmchugh's password:
Failed to grant privileges for EXAMPLE\Domain Admins (NT_STATUS_NO_SUCH_USER)
mjmchugh@HPSERVER:/$ net -U mjmchugh rpc rights grant "STEPHENDBROWN\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
Enter mjmchugh's password:
Failed to grant privileges for STEPHENDBROWN\Domain Admins (NT_STATUS_NO_SUCH_USER)
mjmchugh@HPSERVER:/$ sudo net -U mjmchugh rpc rights grant "STEPHENDBROWN\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
Enter mjmchugh's password:
Failed to grant privileges for STEPHENDBROWN\Domain Admins (NT_STATUS_NO_SUCH_USER)
mjmchugh@HPSERVER:/$ sudo restart smbd
smbd start/running, process 2867
mjmchugh@HPSERVER:/$ sudo restart nmbd
nmbd start/running, process 2876
mjmchugh@HPSERVER:/$ sudo net -U mjmchugh rpc rights grant "STEPHENDBROWN\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
Enter mjmchugh's password:
Failed to grant privileges for STEPHENDBROWN\Domain Admins (NT_STATUS_NO_SUCH_USER)
mjmchugh@HPSERVER:/$

1. Do I run this "net . . . " command as root via sudo, or as the user mjmchugh? I have tried it both ways.

2. Is there a way that I can list all the smb users so I can verify that I have added the mjmchugh user to the Samba domain?

I would really appreciate any guidance you can offer, about what I am doing wrong here. It seems like this is a very important step and I am not going to get this to work with out it.

Thank you in advance for your help.
--Mike

Revision history for this message
Connor Imes (ckimes) wrote :

This is fixed in Natty.

Changed in ubuntu-docs (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Trond-trondhuso (trond-trondhuso) wrote :

I am glad that the information has been updated in the revision, but - the ordering is still present in the 10.04 documentation for Samba Domain Controller.

Revision history for this message
Trond-trondhuso (trond-trondhuso) wrote :

I was then refering to the online documentation on ubuntu, not the tar.gz where this issue might have been fixed. (I had to add this comment as I could not edit my first one)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.