Bug 1413620

Summary: net rpc shutdown fails with "NT_STATUS_ACCESS_DENIED"
Product: Red Hat Enterprise Linux 6 Reporter: Rainer Traut <rainer.traut>
Component: sambaAssignee: Andreas Schneider <asn>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.8CC: asn, gdeschner, jarrpa
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Windows   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-15 14:32:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
debug output none

Description Rainer Traut 2017-01-16 14:36:12 UTC 
Description of problem:
There seems to be a regression on the Linux side with net rpc.
Not a single 'net rpc' command works when connecting to a Windows 7 machine.
This used to work. I can a exclude a firewall/permission problem on the windows side.

Version-Release number of selected component (if applicable):
$ rpm -q samba-common
samba-common-3.6.23-36.el6_8.x86_64

How reproducible:
always, when trying to connect to a fully patched Windows 7

Steps to Reproduce:
1. smbclient output
$ smbclient -L pc1153 -U Administrator
Enter Administrator's password: 
Domain=[PC1153] OS=[Windows 7 Professional 7601 Service Pack 1] Server=[Windows 7 Professional 6.1]

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remoteverwaltung
	C$              Disk      Standardfreigabe
	FestplattenExport Disk      
	IPC$            IPC       Remote-IPC
	NEU             Disk      
	U$              Disk      Standardfreigabe
Domain=[PC1153] OS=[Windows 7 Professional 7601 Service Pack 1] Server=[Windows 7 Professional 6.1]

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------

2. another try with net rpc and same credentials
$ net rpc shutdown -f -S pc1153 -U 'Administrator'
Enter Administrator's password:
Could not connect to server pc1153
Connection failed: NT_STATUS_ACCESS_DENIED
Could not connect to server pc1153
Connection failed: NT_STATUS_ACCESS_DENIED
3. Giving the administrator passwd on cmdline does not change

Actual results:
Connection failed: NT_STATUS_ACCESS_DENIED

Expected results:
shutdown Windows7 PC

Additional info:
$ telnet pc1153 445
Trying 192.168.200.28...
Connected to pc1153.
Escape character is '^]'.
^CConnection closed by foreign host.

Means Windows firewall is off.

This used to work for two years but broke somewhere in 2016.
And there is a Centos 6 bugreport here:
https://bugs.centos.org/view.php?id=10740
Comment 3 Andreas Schneider 2017-01-17 15:12:45 UTC 
Could you paste the output of:


    net rpc shutdown -f -S pc1153 -U 'Administrator' -d10

Thanks.
Comment 4 Rainer Traut 2017-01-18 09:42:01 UTC 
Created attachment 1242103 [details]
debug output

et voilĂ 
Comment 5 Rainer Traut 2017-01-18 09:46:25 UTC 
I managed to solve it by:

client ipc signing = auto

in /etc/smb.conf
Comment 8 Andreas Schneider 2017-11-15 14:32:43 UTC 
Windows 7 doesn't have Security Singatures enabled by default. You should enable Security Signatures on your Windows client and not change 'client ipc signing'!

See the following link shows how to enable Security Signatures. See 'SMB signing configuration on the server side' the registry key to turn this on is 'enablesecuritysignature'.

https://support.microsoft.com/en-us/help/916846/server-message-block-communication-between-a-client-side-smb-component