pfsense can block samba net ad permittion (net rpc grant)

pap1984

Hello

We have ad-dc and ad member file server on oracle vm the both machine. We have pfsense for a long time in our scenario.

When need right grant privilege (net rpc right grant command)
and give me error:

Could not connect to server 127.0.0.1

I follow the official samba wiki for many times and I do not know what to do more.

Please, someone Any Ideia?

Thanks all

johnpoz

@pap1984 said in pfsense can block samba net ad permittion (net rpc grant):

Could not connect to server 127.0.0.1

That is loopback error - where ever your seeing that error, its trying to connect to itself

doguibnu

@johnpoz said in pfsense can block samba net ad permittion (net rpc grant):

@pap1984 said in pfsense can block samba net ad permittion (net rpc grant):

Could not connect to server 127.0.0.1

That is loopback error - where ever your seeing that error, its trying to connect to itself

Hello!

I understand that its trying to connect to itself.
But, Can be a wrong configure in PFsense?

In my scenario we have pfsense with no dhcp for internal network:

1 NIC - Wan static Public IP
2 NIC - Lan (10.x.x.x/24)
No dhcp

The both machines AD-DC and AD member file server are on VM - Bridge mode!

AD-DC - 10.1.1.21
AD Member - 10.1.1.16

So, I did follow official samba wiki to make work, but in AD member side for grant rights command:

net rpc rights grant "MYDOMAIN\Unix Admins" SeDiskOperatorPrivilege -U "MYDOMAIN\administrator"
Enter MYDOMAIN\administrator's password:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_CONNECTION_REFUSED

For weeks trying to solve this but, nothing!

Thank you for attention

johnpoz

@doguibnu said in pfsense can block samba net ad permittion (net rpc grant):

AD-DC - 10.1.1.21
AD Member - 10.1.1.16

Pfsense has nothing to do with any conversations those machines would have with each other.. None..

Pfsense is a router, the only time a device would send it traffic would be to get off the network, talking to a device on your own network has nothing to do with pfsense.

And it sure having anything with a machine trying to talk to itself, 127.0.0.1

Could not connect to server 127.0.0.1

The only way those 2 ips you listed could be on different networks is if you were using /30 or /31 mask.. But you state both those machines on your lan.. With a /24 mask... And again the error your seeing is the trying to talk to itself anyway.

Not sure what your issue is your seeing, but pfsense has nothing to do with it.

doguibnu

Hello @johnpoz

Right Friend! Thanks to clarify. I just only searching something to solve the problem and AD-DC and AD-Member work fine.

Thank you so much

@johnpoz said in pfsense can block samba net ad permittion (net rpc grant):

Pfsense has nothing to do with any conversations those machines would have with each other.. None..
Pfsense is a router, the only time a device would send it traffic would be to get off the network, talking to a device on your own network has nothing to do with pfsense.
And it sure having anything with a machine trying to talk to itself, 127.0.0.1

johnpoz

If I had to guess, have you tried changing the \ to /, pretty sure in linux the slash would be forward vs reverse (backwards)..

doguibnu

Hello @johnpoz

I think that I can not change \ to / because I follow the official samba wiki command. And the command is from Linux plataform

Thanks help and attention

johnpoz

What do you mean you can not change its as simple as testing it..

I have no idea what your trying to do but.. But its common knowledge that \ vs / in domain and user is a problem..

doguibnu

I am trying to post the command here since last week for you see what I need to do but, I do not know why, pfsense forum does not permit its tell me is "spam"

stephenw10

Try putting it in a code box. If that still fails try putting in pastebin (or similar) and linking to it.

johnpoz

For me to test this, would have to fire up linux AD via samba.. Which I guess could do - but this really has nothing to do with pfsense at all.. And you would prob get better support on samba forums for what your trying to do.

doguibnu

Hello @stephenw10 and @johnpoz

I am sorry to late
Here is the [pastebin]command.:
pfsense does not permit that I post the link, still tell me that I flagged as spam......

I made 2 machines again from zero and not works. All steps gone ok. If this step not work, I am unable to do the AD works well.

I am talking to samba group email list, but nothing stay clear to fix this.

Thank you

doguibnu

Above I think it lets post Image!

doguibnu

@doguibnu said in pfsense can block samba net ad permittion (net rpc grant):

Hello @stephenw10 and @johnpoz

I am sorry to late
Here is the
pfsense does not permit that I post the link, still tell me that I flagged as spam......

I made 2 machines again from zero and not works. All steps gone ok. If this step not work, I am unable to do the AD works well.

I am talking to samba group email list, but nothing stay clear to fix this.

Thank you

johnpoz

Going to say this one last time.. This has ZERO to do with pfsense - ZERO!! This as to do with your machine.. Your talking to the localhost machine.. Your not running this command on pfsense.. So how does it have anything to do with pfsense.. It an issue with the machine itself (127.0.01), not pfsense, not the network..

I would will try and fire up a linux machine to simulate what your doing.. But again this has nothing to do with the network or pfsense..

johnpoz

Please describe exactly what you doing, what version of linux? I can try and duplicate your issue.

Your just setting up a domain with samba? What version of samba?

doguibnu

@johnpoz said in pfsense can block samba net ad permittion (net rpc grant):

Going to say this one last time.. This has ZERO to do with pfsense - ZERO!! This as to do with your machine.. Your talking to the localhost machine.. Your not running this command on pfsense.. So how does it have anything to do with pfsense.. It an issue with the machine itself (127.0.01), not pfsense, not the network..

I would will try and fire up a linux machine to simulate what your doing.. But again this has nothing to do with the network or pfsense..

@johnpoz Ok!

Thank you so much and sorry!

johnpoz

Looks like your just trying to give a user some privilege

You have a usermap setup right?

/etc/samba/user.map

This looks like exactly what your running into
https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting

doguibnu

@johnpoz said in pfsense can block samba net ad permittion (net rpc grant):

Please describe exactly what you doing, what version of linux? I can try and duplicate your issue.

Your just setting up a domain with samba? What version of samba?

My steps:

A server with Oracle VM 6.1
2 machines created on Oracle VM

Machine one: Opensuse 15.2 as AD-DC - samba-ad-dc installed well, running ok, all samba-ad-dc ports open in public on opensuse firewalld. NTP server ok. All steps from official samba wiki for Domain controller checked.

Machine two: Opensuse 15.2 as Domain Member and file server. Again, all steps from official samba wiki to do Domain Member and File server checked. So in other Windows 10 VM on the same server by RSAT I created Unix Admins Group - GID - add to Domain Admins Member.
BUT, when I try to do the command: net rpc grant - Privileges....... because if commad works without error I can work in windows RSAT side and can connect, make share folders and etc....BUT, after the command its only try to connect 127.0.0.1

and Yes, all steps to fix it I tryed:
in smb.conf: interfaces: lo eth0
dns forwards: IP

in file username.map: Domain\Administrator Domain\administrator

samba version: 4.11

Thanks

doguibnu

@johnpoz said in pfsense can block samba net ad permittion (net rpc grant):

Looks like your just trying to give a user some privilege

Yes, you are right
For user Administratror

You have a usermap setup right?

/etc/samba/user.map

Yes

This looks like exactly what your running into
I did

I delete this part here: you posted one link ref samba member because pfsense tell me is spam, sorry

yes, I follow the site but, not fix

Thank you