AD DC default shares are okay after provisioning - smbclient -L localhost -U%: Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.17-SerNet-RedHat-11.el7) Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7] Server Comment --------- ------- Workgroup Master --------- ------- Cannot authenticate the administrator account - smbclient //localhost/netlogon -UAdministrator -c 'ls' Enter Administrator's password: session setup failed: NT_STATUS_LOGON_FAILURE - - - - - - - - - - - - - - - - - - I turned up the log level to 3 and found the following: [2015/04/22 06:17:54.074716, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: RuntimeError: kinit for A10$@MWLLC.INFO failed (Cannot contact any KDC for requested realm) A10 is the server hostname, CONPAGO is the domain, and MWLLC.INFO is the realm. ----------------------------------------- ps axf | egrep "samba|smbd|nmbd|winbindd" 886 pts/5 S+ 0:00 \_ grep -E --color=auto samba|smbd|nmbd|winbindd 32620 ? Ss 0:00 samba 32621 ? S 0:00 \_ samba 32623 ? Ss 0:00 | \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground 32637 ? S 0:00 | \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground 32622 ? S 0:00 \_ samba 32624 ? S 0:00 \_ samba 32625 ? S 0:00 \_ samba 32626 ? S 0:00 \_ samba 32627 ? S 0:00 \_ samba 32628 ? S 0:00 \_ samba 32629 ? S 0:00 \_ samba 32630 ? S 0:00 \_ samba 32631 ? S 0:00 \_ samba 32632 ? S 0:00 \_ samba 32633 ? S 0:00 \_ samba 32634 ? S 0:00 \_ samba The above looks the same as the troubleshooting page. ------------------------------------------------------------------------ Cannot figure out why kerberos authentication fails. Also notice nmbd and winbindd logs that say, "server role = 'active directory domain controller' not compatible with running the <<nmbd>> and <<winbindd>> binary. You should start 'samba' instead, and it will control starting the internal AD DC <<nmbd>> and <<winbindd>> implementation, which is not the same as this one." However, I did execute using "samba". samba-tool testparm -v --- # Global parameters [global] dos charset = CP850 unix charset = UTF8 workgroup = CONPAGO realm = MWLLC.INFO netbios name = A10 netbios aliases netbios scope server string = Samba 4.1.17-SerNet-RedHat-11.el7 interfaces = lo, eno1 bind interfaces only = Yes config backend = file server role = active directory domain controller security = AUTO auth methods encrypt passwords = Yes client schannel = No server schannel = No allow trusted domains = No map to guest = Never null passwords = No obey pam restrictions = No password server = * smb passwd file private dir = /var/lib/samba/private passdb backend algorithmic rid base = 0 root directory guest account enable privileges = No pam password change = No passwd program passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat debug = No passwd chat timeout = 0 check password script username map username level = 0 unix password sync = No restrict anonymous = 0 lanman auth = No ntlm auth = Yes client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No client use spnego principal = No preload modules dedicated keytab file kerberos method = default map untrusted to domain = No log level = 3 syslog = 1 syslog only = No log file max log size = 0 debug timestamp = Yes debug prefix timestamp = No debug hires timestamp = Yes debug pid = No debug uid = No debug class = No enable core files = No smb ports = 445, 139 large readwrite = Yes server max protocol = NT1 server min protocol = CORE client max protocol = NT1 client min protocol = CORE unicode = Yes min receivefile size = 0 read raw = Yes write raw = Yes disable netbios = No reset on zero vc = No log writeable files on exit = No defer sharing violations = No nt pipe support = No nt status support = Yes max mux = 50 max xmit = 12288 name resolve order = wins, host, bcast max ttl = 0 max wins ttl = 518400 min wins ttl = 10 time server = No unix extensions = No use spnego = Yes client signing = default server signing = default client use spnego = No client ldap sasl wrapping = plain enable asu support = No svcctl list cldap port = 389 dgram port = 138 nbt port = 137 krb5 port = 88 kpasswd port = 464 web port = 901 rpc big endian = No deadtime = 0 getwd cache = No keepalive = 0 lpq cache time = 0 max smbd processes = 0 max disk size = 0 max open files = 0 socket options = TCP_NODELAY use mmap = Yes use ntdb = No hostname lookups = No name cache timeout = 0 ctdbd socket cluster addresses clustering = No ctdb timeout = 0 ctdb locktime warn threshold = 0 smb2 max read = 0 smb2 max write = 0 smb2 max trans = 0 smb2 max credits = 0 load printers = No printcap cache time = 0 printcap name cups server cups encrypt = No cups connection timeout = 0 iprint server disable spoolss = No addport command enumports command addprinter command deleteprinter command show add printer wizard = No os2 driver map mangling method mangle prefix = 0 max stat cache size = 0 stat cache = No machine password timeout = 0 add user script rename user script delete user script add group script delete group script add user to group script delete user from group script set primary group script add machine script shutdown script abort shutdown script username map script username map cache time = 0 logon script logon path logon drive logon home domain logons = No init logon delayed hosts init logon delay = 0 os level = 0 lm announce = No lm interval = 0 preferred master = Auto local master = Yes domain master = Auto browse list = No enhanced browsing = No dns proxy = Yes wins proxy = No wins server wins support = No wins hook lock spin time = 0 oplock break wait time = 0 ldap admin dn ldap delete dn = No ldap group suffix ldap idmap suffix ldap machine suffix ldap passwd sync = yes ldap replication sleep = 0 ldap suffix ldap ssl = no ldap ssl ads = No ldap deref = never ldap follow referral = No ldap timeout = 0 ldap connection timeout = 0 ldap page size = 0 ldap user suffix ldap debug level = 0 ldap debug threshold = 0 eventlog list add share command change share command delete share command config file preload lock directory = /var/cache/samba state directory = /var/lib/samba cache directory = /var/cache/samba pid directory = /var/run/samba ntp signd socket directory = /var/lib/samba/ntp_signd utmp directory wtmp directory utmp = No default service message command get quota command set quota command remote announce remote browse sync nbt client socket address nmbd bind explicit broadcast = No homedir map afs username map afs token lifetime = 0 log nt token command NIS homedir = No registry shares = No usershare allow guests = No usershare max shares = 0 usershare owner only = No usershare path usershare prefix allow list usershare prefix deny list usershare template share allow insecure wide links = No async smb echo handler = No panic action perfcount module host msdfs = Yes passdb expand explicit = No idmap backend idmap cache time = 0 idmap negative cache time = 0 idmap uid idmap gid template homedir = /home/%WORKGROUP%/%ACCOUNTNAME% template shell = /bin/false winbind separator = \ winbind cache time = 0 winbind reconnect delay = 0 winbind request timeout = 0 winbind max clients = 0 winbind enum users = No winbind enum groups = No winbind use default domain = No winbind trusted domains only = No winbind nested groups = No winbind expand groups = 0 winbind nss info winbind refresh tickets = No winbind offline logon = No winbind normalize names = No winbind rpc only = No create krb5 conf = No ncalrpc dir = /var/run/samba/ncalrpc winbind max domain connections = 0 winbindd socket directory = /var/run/samba/winbindd winbindd privileged socket directory /var/lib/samba/winbindd_privileged winbind sealed pipes = Yes allow dns updates = secure only dns forwarder = 75.75.76.76 dns update command = /usr/sbin/samba_dnsupdate nsupdate command = /usr/bin/nsupdate -g rndc command = /usr/sbin/rndc multicast dns register = No samba kcc command = /usr/sbin/samba_kcc server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver spn update command = /usr/sbin/samba_spnupdate share backend = classic tls enabled = Yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem tls cafile = tls/ca.pem tls crlfile tls dh params file idmap_ldb:use rfc2307 = yes prefork children:smb = 4 registry:hkey_users = hku.ldb registry:hkey_local_machine = hklm.ldb [netlogon] path = /var/lib/samba/sysvol/mwllc.info/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No (END)
L.P.H. van Belle
2015-Apr-22 11:27 UTC
[Samba] Cannot authenticate the administrator account
can you try the following.. and post the result back. and /etc/resolv.conf and /etc/krb5.conf copy past it, but set the admin pass fist. then whats the output. SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE" SETFQDN=`hostname -f` echo "NT Authentication test" echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls' echo "Kerberos Authentication" echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k kdestroy>-----Oorspronkelijk bericht----- >Van: 1100100 at gmail.com [mailto:samba-bounces at lists.samba.org] >Namens Mike >Verzonden: woensdag 22 april 2015 13:14 >Aan: samba >Onderwerp: [Samba] Cannot authenticate the administrator account > >AD DC default shares are okay after provisioning - >smbclient -L localhost -U%: > >Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7] > > Sharename Type Comment > --------- ---- ------- > netlogon Disk > sysvol Disk > IPC$ IPC IPC Service (Samba >4.1.17-SerNet-RedHat-11.el7) >Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7] > > Server Comment > --------- ------- > > Workgroup Master > --------- ------- > >Cannot authenticate the administrator account - >smbclient //localhost/netlogon -UAdministrator -c 'ls' >Enter Administrator's password: >session setup failed: NT_STATUS_LOGON_FAILURE > >- - - - - - - - - - - - - - - - - - >I turned up the log level to 3 and found the following: > >[2015/04/22 06:17:54.074716, 0] >../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/sbin/samba_dnsupdate: RuntimeError: kinit for >A10$@MWLLC.INFO failed >(Cannot contact any KDC for requested realm) > >A10 is the server hostname, CONPAGO is the domain, and >MWLLC.INFO is the >realm. > >----------------------------------------- > ps axf | egrep "samba|smbd|nmbd|winbindd" > 886 pts/5 S+ 0:00 \_ grep -E --color=auto >samba|smbd|nmbd|winbindd >32620 ? Ss 0:00 samba >32621 ? S 0:00 \_ samba >32623 ? Ss 0:00 | \_ /usr/sbin/smbd -D >--option=server role >check:inhibit=yes --foreground >32637 ? S 0:00 | \_ /usr/sbin/smbd -D >--option=server >role check:inhibit=yes --foreground >32622 ? S 0:00 \_ samba >32624 ? S 0:00 \_ samba >32625 ? S 0:00 \_ samba >32626 ? S 0:00 \_ samba >32627 ? S 0:00 \_ samba >32628 ? S 0:00 \_ samba >32629 ? S 0:00 \_ samba >32630 ? S 0:00 \_ samba >32631 ? S 0:00 \_ samba >32632 ? S 0:00 \_ samba >32633 ? S 0:00 \_ samba >32634 ? S 0:00 \_ samba > >The above looks the same as the troubleshooting page. >--------------------------------------------------------------- >--------- > >Cannot figure out why kerberos authentication fails. > >Also notice nmbd and winbindd logs that say, "server role = 'active >directory domain controller' not compatible with running the ><<nmbd>> and ><<winbindd>> binary. > You should start 'samba' instead, and it will control starting the >internal AD DC <<nmbd>> and <<winbindd>> implementation, which >is not the >same as this one." > >However, I did execute using "samba". > >samba-tool testparm -v --- > ># Global parameters >[global] > dos charset = CP850 > unix charset = UTF8 > workgroup = CONPAGO > realm = MWLLC.INFO > netbios name = A10 > netbios aliases > netbios scope > server string = Samba 4.1.17-SerNet-RedHat-11.el7 > interfaces = lo, eno1 > bind interfaces only = Yes > config backend = file > server role = active directory domain controller > security = AUTO > auth methods > encrypt passwords = Yes > client schannel = No > server schannel = No > allow trusted domains = No > map to guest = Never > null passwords = No > obey pam restrictions = No > password server = * > smb passwd file > private dir = /var/lib/samba/private > passdb backend > algorithmic rid base = 0 > root directory > guest account > enable privileges = No > pam password change = No > passwd program > passwd chat = *new*password* %n\n *new*password* %n\n *changed* > passwd chat debug = No > passwd chat timeout = 0 > check password script > username map > username level = 0 > unix password sync = No > restrict anonymous = 0 > lanman auth = No > ntlm auth = Yes > client NTLMv2 auth = Yes > client lanman auth = No > client plaintext auth = No > client use spnego principal = No > preload modules > dedicated keytab file > kerberos method = default > map untrusted to domain = No > log level = 3 > syslog = 1 > syslog only = No > log file > max log size = 0 > debug timestamp = Yes > debug prefix timestamp = No > debug hires timestamp = Yes > debug pid = No > debug uid = No > debug class = No > enable core files = No > smb ports = 445, 139 > large readwrite = Yes > server max protocol = NT1 > server min protocol = CORE > client max protocol = NT1 > client min protocol = CORE > unicode = Yes > min receivefile size = 0 > read raw = Yes > write raw = Yes > disable netbios = No > reset on zero vc = No > log writeable files on exit = No > defer sharing violations = No > nt pipe support = No > nt status support = Yes > max mux = 50 > max xmit = 12288 > name resolve order = wins, host, bcast > max ttl = 0 > max wins ttl = 518400 > min wins ttl = 10 > time server = No > unix extensions = No > use spnego = Yes > client signing = default > server signing = default > client use spnego = No > client ldap sasl wrapping = plain > enable asu support = No > svcctl list > cldap port = 389 > dgram port = 138 > nbt port = 137 > krb5 port = 88 > kpasswd port = 464 > web port = 901 > rpc big endian = No > deadtime = 0 > getwd cache = No > keepalive = 0 > lpq cache time = 0 > max smbd processes = 0 > max disk size = 0 > max open files = 0 > socket options = TCP_NODELAY > use mmap = Yes > use ntdb = No > hostname lookups = No > name cache timeout = 0 > ctdbd socket > cluster addresses > clustering = No > ctdb timeout = 0 > ctdb locktime warn threshold = 0 > smb2 max read = 0 > smb2 max write = 0 > smb2 max trans = 0 > smb2 max credits = 0 > load printers = No > printcap cache time = 0 > printcap name > cups server > cups encrypt = No > cups connection timeout = 0 > iprint server > disable spoolss = No > addport command > enumports command > addprinter command > deleteprinter command > show add printer wizard = No > os2 driver map > mangling method > mangle prefix = 0 > max stat cache size = 0 > stat cache = No > machine password timeout = 0 > add user script > rename user script > delete user script > add group script > delete group script > add user to group script > delete user from group script > set primary group script > add machine script > shutdown script > abort shutdown script > username map script > username map cache time = 0 > logon script > logon path > logon drive > logon home > domain logons = No > init logon delayed hosts > init logon delay = 0 > os level = 0 > lm announce = No > lm interval = 0 > preferred master = Auto > local master = Yes > domain master = Auto > browse list = No > enhanced browsing = No > dns proxy = Yes > wins proxy = No > wins server > wins support = No > wins hook > lock spin time = 0 > oplock break wait time = 0 > ldap admin dn > ldap delete dn = No > ldap group suffix > ldap idmap suffix > ldap machine suffix > ldap passwd sync = yes > ldap replication sleep = 0 > ldap suffix > ldap ssl = no > ldap ssl ads = No > ldap deref = never > ldap follow referral = No > ldap timeout = 0 > ldap connection timeout = 0 > ldap page size = 0 > ldap user suffix > ldap debug level = 0 > ldap debug threshold = 0 > eventlog list > add share command > change share command > delete share command > config file > preload > lock directory = /var/cache/samba > state directory = /var/lib/samba > cache directory = /var/cache/samba > pid directory = /var/run/samba > ntp signd socket directory = /var/lib/samba/ntp_signd > utmp directory > wtmp directory > utmp = No > default service > message command > get quota command > set quota command > remote announce > remote browse sync > nbt client socket address > nmbd bind explicit broadcast = No > homedir map > afs username map > afs token lifetime = 0 > log nt token command > NIS homedir = No > registry shares = No > usershare allow guests = No > usershare max shares = 0 > usershare owner only = No > usershare path > usershare prefix allow list > usershare prefix deny list > usershare template share > allow insecure wide links = No > async smb echo handler = No > panic action > perfcount module > host msdfs = Yes > passdb expand explicit = No > idmap backend > idmap cache time = 0 > idmap negative cache time = 0 > idmap uid > idmap gid > template homedir = /home/%WORKGROUP%/%ACCOUNTNAME% > template shell = /bin/false > winbind separator = \ > winbind cache time = 0 > winbind reconnect delay = 0 > winbind request timeout = 0 > winbind max clients = 0 > winbind enum users = No > winbind enum groups = No > winbind use default domain = No > winbind trusted domains only = No > winbind nested groups = No > winbind expand groups = 0 > winbind nss info > winbind refresh tickets = No > winbind offline logon = No > winbind normalize names = No > winbind rpc only = No > create krb5 conf = No > ncalrpc dir = /var/run/samba/ncalrpc > winbind max domain connections = 0 > winbindd socket directory = /var/run/samba/winbindd > winbindd privileged socket directory >/var/lib/samba/winbindd_privileged > winbind sealed pipes = Yes > allow dns updates = secure only > dns forwarder = 75.75.76.76 > dns update command = /usr/sbin/samba_dnsupdate > nsupdate command = /usr/bin/nsupdate -g > rndc command = /usr/sbin/rndc > multicast dns register = No > samba kcc command = /usr/sbin/samba_kcc > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, >kdc, drepl, >winbind, ntp_signd, kcc, dnsupdate, dns > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, >netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, >browser, eventlog6, >backupkey, dnsserver > spn update command = /usr/sbin/samba_spnupdate > share backend = classic > tls enabled = Yes > tls keyfile = tls/key.pem > tls certfile = tls/cert.pem > tls cafile = tls/ca.pem > tls crlfile > tls dh params file > idmap_ldb:use rfc2307 = yes > prefork children:smb = 4 > registry:hkey_users = hku.ldb > registry:hkey_local_machine = hklm.ldb > >[netlogon] > path = /var/lib/samba/sysvol/mwllc.info/scripts > read only = No > >[sysvol] > path = /var/lib/samba/sysvol > read only = No >(END) >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Thanks for your help, LPH - - - I am commuting to work right now.......will try it when I can get through a few daily hurdles at the office. :-) On Wed, Apr 22, 2015 at 7:27 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:> can you try the following.. > and post the result back. > and /etc/resolv.conf > and /etc/krb5.conf > > copy past it, but set the admin pass fist. > then whats the output. > > SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE" > SETFQDN=`hostname -f` > > echo "NT Authentication test" > echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U > Administrator -c 'ls' > > echo "Kerberos Authentication" > echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator > smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k > kdestroy > > > > > > >-----Oorspronkelijk bericht----- > >Van: 1100100 at gmail.com [mailto:samba-bounces at lists.samba.org] > >Namens Mike > >Verzonden: woensdag 22 april 2015 13:14 > >Aan: samba > >Onderwerp: [Samba] Cannot authenticate the administrator account > > > >AD DC default shares are okay after provisioning - > >smbclient -L localhost -U%: > > > >Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7] > > > > Sharename Type Comment > > --------- ---- ------- > > netlogon Disk > > sysvol Disk > > IPC$ IPC IPC Service (Samba > >4.1.17-SerNet-RedHat-11.el7) > >Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7] > > > > Server Comment > > --------- ------- > > > > Workgroup Master > > --------- ------- > > > >Cannot authenticate the administrator account - > >smbclient //localhost/netlogon -UAdministrator -c 'ls' > >Enter Administrator's password: > >session setup failed: NT_STATUS_LOGON_FAILURE > > > >- - - - - - - - - - - - - - - - - - > >I turned up the log level to 3 and found the following: > > > >[2015/04/22 06:17:54.074716, 0] > >../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > > /usr/sbin/samba_dnsupdate: RuntimeError: kinit for > >A10$@MWLLC.INFO failed > >(Cannot contact any KDC for requested realm) > > > >A10 is the server hostname, CONPAGO is the domain, and > >MWLLC.INFO is the > >realm. > > > >----------------------------------------- > > ps axf | egrep "samba|smbd|nmbd|winbindd" > > 886 pts/5 S+ 0:00 \_ grep -E --color=auto > >samba|smbd|nmbd|winbindd > >32620 ? Ss 0:00 samba > >32621 ? S 0:00 \_ samba > >32623 ? Ss 0:00 | \_ /usr/sbin/smbd -D > >--option=server role > >check:inhibit=yes --foreground > >32637 ? S 0:00 | \_ /usr/sbin/smbd -D > >--option=server > >role check:inhibit=yes --foreground > >32622 ? S 0:00 \_ samba > >32624 ? S 0:00 \_ samba > >32625 ? S 0:00 \_ samba > >32626 ? S 0:00 \_ samba > >32627 ? S 0:00 \_ samba > >32628 ? S 0:00 \_ samba > >32629 ? S 0:00 \_ samba > >32630 ? S 0:00 \_ samba > >32631 ? S 0:00 \_ samba > >32632 ? S 0:00 \_ samba > >32633 ? S 0:00 \_ samba > >32634 ? S 0:00 \_ samba > > > >The above looks the same as the troubleshooting page. > >--------------------------------------------------------------- > >--------- > > > >Cannot figure out why kerberos authentication fails. > > > >Also notice nmbd and winbindd logs that say, "server role = 'active > >directory domain controller' not compatible with running the > ><<nmbd>> and > ><<winbindd>> binary. > > You should start 'samba' instead, and it will control starting the > >internal AD DC <<nmbd>> and <<winbindd>> implementation, which > >is not the > >same as this one." > > > >However, I did execute using "samba". > > > >samba-tool testparm -v --- > > > ># Global parameters > >[global] > > dos charset = CP850 > > unix charset = UTF8 > > workgroup = CONPAGO > > realm = MWLLC.INFO > > netbios name = A10 > > netbios aliases > > netbios scope > > server string = Samba 4.1.17-SerNet-RedHat-11.el7 > > interfaces = lo, eno1 > > bind interfaces only = Yes > > config backend = file > > server role = active directory domain controller > > security = AUTO > > auth methods > > encrypt passwords = Yes > > client schannel = No > > server schannel = No > > allow trusted domains = No > > map to guest = Never > > null passwords = No > > obey pam restrictions = No > > password server = * > > smb passwd file > > private dir = /var/lib/samba/private > > passdb backend > > algorithmic rid base = 0 > > root directory > > guest account > > enable privileges = No > > pam password change = No > > passwd program > > passwd chat = *new*password* %n\n *new*password* %n\n *changed* > > passwd chat debug = No > > passwd chat timeout = 0 > > check password script > > username map > > username level = 0 > > unix password sync = No > > restrict anonymous = 0 > > lanman auth = No > > ntlm auth = Yes > > client NTLMv2 auth = Yes > > client lanman auth = No > > client plaintext auth = No > > client use spnego principal = No > > preload modules > > dedicated keytab file > > kerberos method = default > > map untrusted to domain = No > > log level = 3 > > syslog = 1 > > syslog only = No > > log file > > max log size = 0 > > debug timestamp = Yes > > debug prefix timestamp = No > > debug hires timestamp = Yes > > debug pid = No > > debug uid = No > > debug class = No > > enable core files = No > > smb ports = 445, 139 > > large readwrite = Yes > > server max protocol = NT1 > > server min protocol = CORE > > client max protocol = NT1 > > client min protocol = CORE > > unicode = Yes > > min receivefile size = 0 > > read raw = Yes > > write raw = Yes > > disable netbios = No > > reset on zero vc = No > > log writeable files on exit = No > > defer sharing violations = No > > nt pipe support = No > > nt status support = Yes > > max mux = 50 > > max xmit = 12288 > > name resolve order = wins, host, bcast > > max ttl = 0 > > max wins ttl = 518400 > > min wins ttl = 10 > > time server = No > > unix extensions = No > > use spnego = Yes > > client signing = default > > server signing = default > > client use spnego = No > > client ldap sasl wrapping = plain > > enable asu support = No > > svcctl list > > cldap port = 389 > > dgram port = 138 > > nbt port = 137 > > krb5 port = 88 > > kpasswd port = 464 > > web port = 901 > > rpc big endian = No > > deadtime = 0 > > getwd cache = No > > keepalive = 0 > > lpq cache time = 0 > > max smbd processes = 0 > > max disk size = 0 > > max open files = 0 > > socket options = TCP_NODELAY > > use mmap = Yes > > use ntdb = No > > hostname lookups = No > > name cache timeout = 0 > > ctdbd socket > > cluster addresses > > clustering = No > > ctdb timeout = 0 > > ctdb locktime warn threshold = 0 > > smb2 max read = 0 > > smb2 max write = 0 > > smb2 max trans = 0 > > smb2 max credits = 0 > > load printers = No > > printcap cache time = 0 > > printcap name > > cups server > > cups encrypt = No > > cups connection timeout = 0 > > iprint server > > disable spoolss = No > > addport command > > enumports command > > addprinter command > > deleteprinter command > > show add printer wizard = No > > os2 driver map > > mangling method > > mangle prefix = 0 > > max stat cache size = 0 > > stat cache = No > > machine password timeout = 0 > > add user script > > rename user script > > delete user script > > add group script > > delete group script > > add user to group script > > delete user from group script > > set primary group script > > add machine script > > shutdown script > > abort shutdown script > > username map script > > username map cache time = 0 > > logon script > > logon path > > logon drive > > logon home > > domain logons = No > > init logon delayed hosts > > init logon delay = 0 > > os level = 0 > > lm announce = No > > lm interval = 0 > > preferred master = Auto > > local master = Yes > > domain master = Auto > > browse list = No > > enhanced browsing = No > > dns proxy = Yes > > wins proxy = No > > wins server > > wins support = No > > wins hook > > lock spin time = 0 > > oplock break wait time = 0 > > ldap admin dn > > ldap delete dn = No > > ldap group suffix > > ldap idmap suffix > > ldap machine suffix > > ldap passwd sync = yes > > ldap replication sleep = 0 > > ldap suffix > > ldap ssl = no > > ldap ssl ads = No > > ldap deref = never > > ldap follow referral = No > > ldap timeout = 0 > > ldap connection timeout = 0 > > ldap page size = 0 > > ldap user suffix > > ldap debug level = 0 > > ldap debug threshold = 0 > > eventlog list > > add share command > > change share command > > delete share command > > config file > > preload > > lock directory = /var/cache/samba > > state directory = /var/lib/samba > > cache directory = /var/cache/samba > > pid directory = /var/run/samba > > ntp signd socket directory = /var/lib/samba/ntp_signd > > utmp directory > > wtmp directory > > utmp = No > > default service > > message command > > get quota command > > set quota command > > remote announce > > remote browse sync > > nbt client socket address > > nmbd bind explicit broadcast = No > > homedir map > > afs username map > > afs token lifetime = 0 > > log nt token command > > NIS homedir = No > > registry shares = No > > usershare allow guests = No > > usershare max shares = 0 > > usershare owner only = No > > usershare path > > usershare prefix allow list > > usershare prefix deny list > > usershare template share > > allow insecure wide links = No > > async smb echo handler = No > > panic action > > perfcount module > > host msdfs = Yes > > passdb expand explicit = No > > idmap backend > > idmap cache time = 0 > > idmap negative cache time = 0 > > idmap uid > > idmap gid > > template homedir = /home/%WORKGROUP%/%ACCOUNTNAME% > > template shell = /bin/false > > winbind separator = \ > > winbind cache time = 0 > > winbind reconnect delay = 0 > > winbind request timeout = 0 > > winbind max clients = 0 > > winbind enum users = No > > winbind enum groups = No > > winbind use default domain = No > > winbind trusted domains only = No > > winbind nested groups = No > > winbind expand groups = 0 > > winbind nss info > > winbind refresh tickets = No > > winbind offline logon = No > > winbind normalize names = No > > winbind rpc only = No > > create krb5 conf = No > > ncalrpc dir = /var/run/samba/ncalrpc > > winbind max domain connections = 0 > > winbindd socket directory = /var/run/samba/winbindd > > winbindd privileged socket directory > >/var/lib/samba/winbindd_privileged > > winbind sealed pipes = Yes > > allow dns updates = secure only > > dns forwarder = 75.75.76.76 > > dns update command = /usr/sbin/samba_dnsupdate > > nsupdate command = /usr/bin/nsupdate -g > > rndc command = /usr/sbin/rndc > > multicast dns register = No > > samba kcc command = /usr/sbin/samba_kcc > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > >kdc, drepl, > >winbind, ntp_signd, kcc, dnsupdate, dns > > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, > >netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, > >browser, eventlog6, > >backupkey, dnsserver > > spn update command = /usr/sbin/samba_spnupdate > > share backend = classic > > tls enabled = Yes > > tls keyfile = tls/key.pem > > tls certfile = tls/cert.pem > > tls cafile = tls/ca.pem > > tls crlfile > > tls dh params file > > idmap_ldb:use rfc2307 = yes > > prefork children:smb = 4 > > registry:hkey_users = hku.ldb > > registry:hkey_local_machine = hklm.ldb > > > >[netlogon] > > path = /var/lib/samba/sysvol/mwllc.info/scripts > > read only = No > > > >[sysvol] > > path = /var/lib/samba/sysvol > > read only = No > >(END) > >-- > >To unsubscribe from this list go to the following URL and read the > >instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Wed, Apr 22, 2015 at 7:27 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:> can you try the following.. > and post the result back. > and /etc/resolv.conf > and /etc/krb5.conf > > copy past it, but set the admin pass fist. > then whats the output. > > SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE" > SETFQDN=`hostname -f` > > echo "NT Authentication test" > echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U > Administrator -c 'ls' > > echo "Kerberos Authentication" > echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator > smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k > kdestroy >[root at a10 ~]# cat /etc/resolv.conf # Generated by NetworkManager search conpago.mwllc.info nameserver 75.75.76.76 nameserver 75.75.75.75 [root at a10 etc]# cat krb5.conf [libdefaults] default_realm = MWLLC.INFO dns_lookup_realm = false dns_lookup_kdc = true [root at a10 etc]# SETFQDN=`hostname -f` [root at a10 etc]# echo "NT Authentication test" NT Authentication test [root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls' Enter Administrator's password: session setup failed: NT_STATUS_LOGON_FAILURE [root at a10 etc]# echo "Kerberos Authentication" Kerberos Authentication [root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator kinit: Cannot find KDC for realm "MWLLC.INFO" while getting initial credentials [root at a10 etc]# smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: No such file or directory session setup failed: NT_STATUS_UNSUCCESSFUL [root at a10 etc]# kdestroy
L.P.H. van Belle
2015-Apr-22 14:04 UTC
[Samba] Cannot authenticate the administrator account
Are you sure you have the "correct" administrator password .. ? this should work ,? echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls' that does not involve kerberos yet.. ? Please run: ? SETHOSTNAME=`hostname -s` SETDNSDOMAIN=`hostname -d` SETFQDN=`hostname -f` host -t SRV _ldap._tcp.${SETDNSDOMAIN}. host -t SRV _kerberos._udp.${SETDNSDOMAIN}. ?? host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}.? and cat /etc/hosts ? and these are your DC's ips? ? nameserver 75.75.76.76 nameserver 75.75.75.75 ? Greetz, ? Louis ? ? Van: Mike [mailto:1100100 at gmail.com] Verzonden: woensdag 22 april 2015 15:45 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Cannot authenticate the administrator account On Wed, Apr 22, 2015 at 7:27 AM, L.P.H. van Belle <belle at bazuin.nl> wrote: can you try the following.. and post the result back. and /etc/resolv.conf and /etc/krb5.conf copy past it, but set the admin pass fist. then whats the output. SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE" SETFQDN=`hostname -f` echo "NT Authentication test" echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls' echo "Kerberos Authentication" echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k kdestroy [root at a10 ~]# cat /etc/resolv.conf # Generated by NetworkManager search conpago.mwllc.info nameserver 75.75.76.76 nameserver 75.75.75.75 [root at a10 etc]# cat krb5.conf [libdefaults] ??? default_realm = MWLLC.INFO ??? dns_lookup_realm = false ??? dns_lookup_kdc = true [root at a10 etc]# SETFQDN=`hostname -f` [root at a10 etc]# echo "NT Authentication test" NT Authentication test [root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls' Enter Administrator's password: session setup failed: NT_STATUS_LOGON_FAILURE [root at a10 etc]# echo "Kerberos Authentication" Kerberos Authentication [root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator kinit: Cannot find KDC for realm "MWLLC.INFO" while getting initial credentials [root at a10 etc]# smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: No such file or directory session setup failed: NT_STATUS_UNSUCCESSFUL [root at a10 etc]# kdestroy
Maybe Matching Threads
- Cannot authenticate the administrator account
- Cannot authenticate the administrator account
- Cannot authenticate the administrator account
- Cannot authenticate the administrator account
- Access to shares is denied after upgrading from 3.6.3 (openSUSE 12.1) to 4.1.17 (openSUSE 13.2)