Hi friends: I was installed Samba4 ver 4.5 on openSuSE 42.1 Leap, the smb.conf is: # Global parameters [global] netbios name = SERVERDOM realm = POLRMVAR.MTZ.SLD.CU workgroup = POLRMVAR dns forwarder = 10.44.0.5 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc [netlogon] path = /usr/local/samba/var/locks/sysvol/polrmvar.mtz.sld.cu/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [home] comment = Directorios Personales path = /home/usuarios read only = No Kerberos are work fine krb5.conf: [libdefaults] default_realm = DOMINIO.MTZ.SLD.CU dns_lookup_realm = false dns_lookup_kdc = true default_ccache_name = KEYRING:persistent:%{uid} When I run this command while config my samba: #net rpc rights grant 'DOMINIO\Domain Admins' SeMachineAccountPrivilege \ SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege \ SeRemoteShutdownPrivilege -UAdministrator and all work fine. but when I run this other to check rights: # net rpc rights list accounts –UAdministrator Enter informatico's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE I don't know where to look?, this is Problem #1 The other: server:#ldapsearch -x -h servidor -s base -D CN=Administrator,CN=Users,CN=DOMINIO,DC=MTZ,DC=SLD,DC=CU -W Enter LDAP Password: ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required. I was looking around about the problem , I wish improve the security on my server, not lack it. Any suggestion are welcome. T.I.A -- Jesús Reyes Piedra Admin Red Neurodearrollo,Cárdenas La caja decía:"Requiere windows 95 o superior"... Entonces instalé LINUX. -- Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas Infomed: http://www.sld.cu/
Any body here?; some body can help me ?. T.I.A. El 25/10/16 a las 16:24, Informatico Neurodesarrollo via samba escribió:> Hi friends: > I was installed Samba4 ver 4.5 on openSuSE 42.1 Leap, the smb.conf is: > > # Global parameters > [global] > netbios name = SERVERDOM > realm = POLRMVAR.MTZ.SLD.CU > workgroup = POLRMVAR > dns forwarder = 10.44.0.5 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbind, ntp_signd, kcc > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/polrmvar.mtz.sld.cu/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > [home] > comment = Directorios Personales > path = /home/usuarios > read only = No > > Kerberos are work fine > > krb5.conf: > > [libdefaults] > default_realm = DOMINIO.MTZ.SLD.CU > dns_lookup_realm = false > dns_lookup_kdc = true > default_ccache_name = KEYRING:persistent:%{uid} > > > When I run this command while config my samba: > > #net rpc rights grant 'DOMINIO\Domain Admins' SeMachineAccountPrivilege \ > SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege \ > SeRemoteShutdownPrivilege -UAdministrator > > and all work fine. > > but when I run this other to check rights: > > # net rpc rights list accounts –UAdministrator > Enter informatico's password: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > I don't know where to look?, this is Problem #1 > > The other: > > server:#ldapsearch -x -h servidor -s base -D > CN=Administrator,CN=Users,CN=DOMINIO,DC=MTZ,DC=SLD,DC=CU -W > Enter LDAP Password: > ldap_bind: Strong(er) authentication required (8) > additional info: BindSimple: Transport encryption required. > > > I was looking around about the problem , I wish improve the security > on my server, not lack it. > > Any suggestion are welcome. > > T.I.A > >-- Jesús Reyes Piedra Admin Red Neurodearrollo,Cárdenas La caja decía:"Requiere windows 95 o superior"... Entonces instalé LINUX. -- Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas Infomed: http://www.sld.cu/
Hi, The ldapsearch message is because you can't connect by plain text (-x) by default . Try using https, that should do it. Does smbclient -L SERVERDOM -U Administrator work? Or does it give NT_STATUS_LOGON_FAILURE as well? if you increase the log level, do you see "Unable to convert SID (S-1-X-XXX) at index X in user token to a GID." in your log files? Em 31/10/2016 12:17, Informatico Neurodesarrollo via samba escreveu:> Any body here?; some body can help me ?. > > > T.I.A. > > El 25/10/16 a las 16:24, Informatico Neurodesarrollo via samba escribió: >> Hi friends: >> I was installed Samba4 ver 4.5 on openSuSE 42.1 Leap, the smb.conf is: >> >> # Global parameters >> [global] >> netbios name = SERVERDOM >> realm = POLRMVAR.MTZ.SLD.CU >> workgroup = POLRMVAR >> dns forwarder = 10.44.0.5 >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, >> ntp_signd, kcc >> >> [netlogon] >> path = /usr/local/samba/var/locks/sysvol/polrmvar.mtz.sld.cu/scripts >> read only = No >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> [home] >> comment = Directorios Personales >> path = /home/usuarios >> read only = No >> >> Kerberos are work fine >> >> krb5.conf: >> >> [libdefaults] >> default_realm = DOMINIO.MTZ.SLD.CU >> dns_lookup_realm = false >> dns_lookup_kdc = true >> default_ccache_name = KEYRING:persistent:%{uid} >> >> >> When I run this command while config my samba: >> >> #net rpc rights grant 'DOMINIO\Domain Admins' SeMachineAccountPrivilege \ >> SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege \ >> SeRemoteShutdownPrivilege -UAdministrator >> >> and all work fine. >> >> but when I run this other to check rights: >> >> # net rpc rights list accounts –UAdministrator >> Enter informatico's password: >> Could not connect to server 127.0.0.1 >> The username or password was not correct. >> Connection failed: NT_STATUS_LOGON_FAILURE >> >> I don't know where to look?, this is Problem #1 >> >> The other: >> >> server:#ldapsearch -x -h servidor -s base -D >> CN=Administrator,CN=Users,CN=DOMINIO,DC=MTZ,DC=SLD,DC=CU -W >> Enter LDAP Password: >> ldap_bind: Strong(er) authentication required (8) >> additional info: BindSimple: Transport encryption required. >> >> >> I was looking around about the problem , I wish improve the security on my server, not >> lack it. >> >> Any suggestion are welcome. >> >> T.I.A >> >> >-- Vinicius Silva SOC BRA: + 55 51 2117.1000 | 55 11 5521.2021 USA: + 1 888 259.5801 vbs at e-trust.com.br skype: vinicius.bones.silva Smiley face www.e-trust.com.br <http://www.e-trust.com.br/> Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões ou informações contidas nesta mensagem não necessariamente refletem a posição oficial da E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br. This message may contain privileged and confidential information for the use of the intended recipients only. If you are not an intended recipient then you should not disseminate, copy, or take any action based on its contents. If you have received this message in error then please notify E-TRUST by sending an e-mail message to suporte at e-trust.com.br immediately. Views and opinions expressed in this message do not necessarily reflect the position of E-TRUST. If this message is digitally signed, its authenticity can be confirmed by E-TRUST Private Certificate Authority, available at www.e-trust.com.br.
See inline comments: On Tue, 25 Oct 2016 16:24:29 -0400 Informatico Neurodesarrollo via samba <samba at lists.samba.org> wrote:> Hi friends: > I was installed Samba4 ver 4.5 on openSuSE 42.1 Leap, the smb.conf is: > > # Global parameters > [global] > netbios name = SERVERDOM > realm = POLRMVAR.MTZ.SLD.CU > workgroup = POLRMVAR > dns forwarder = 10.44.0.5 > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbind, ntp_signd, kcc > > [netlogon] > path > = /usr/local/samba/var/locks/sysvol/polrmvar.mtz.sld.cu/scripts read > only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > [home] > comment = Directorios Personales > path = /home/usuarios > read only = No > > Kerberos are work fine > > krb5.conf: > > [libdefaults] > default_realm = DOMINIO.MTZ.SLD.CU > dns_lookup_realm = false > dns_lookup_kdc = true > default_ccache_name = KEYRING:persistent:%{uid} > > > When I run this command while config my samba: > > #net rpc rights grant 'DOMINIO\Domain Admins' > SeMachineAccountPrivilege \ SePrintOperatorPrivilege > SeAddUsersPrivilege SeDiskOperatorPrivilege \ > SeRemoteShutdownPrivilege -UAdministrator > > and all work fine. > > but when I run this other to check rights: > > # net rpc rights list accounts –UAdministrator > Enter informatico's password: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > I don't know where to look?, this is Problem #1Well, you could try looking at the ouput you are getting, you are using '-UAdministrator', but is asking you to 'Enter informatico's password:' Try adding '--password=YOUR_ADMINISTRATORS_PASSWORD' to the end of the command.> > The other: > > server:#ldapsearch -x -h servidor -s base -D > CN=Administrator,CN=Users,CN=DOMINIO,DC=MTZ,DC=SLD,DC=CU -W > Enter LDAP Password: > ldap_bind: Strong(er) authentication required (8) > additional info: BindSimple: Transport encryption required. > > > I was looking around about the problem , I wish improve the security > on my server, not lack it.in which case, use ldbsearch with kerberos, if you must use ldapsearch, you are going to have to use SSL, or add 'ldap server require strong auth = no' to smb.conf, but this is decreasing security. Rowland> > Any suggestion are welcome. > > T.I.A > >