Hai, ? I have automated the install of my member server. Followed the wiki : https://wiki.samba.org/index.php/Samba/Domain_Member? ? Everything works nicely, but...?.. read on..? ;-) ? ok, so wiki says: https://wiki.samba.org/index.php/Setup_and_configure_file_shares? ? and now im at the point : SeDiskOperatorPrivilege and .. for the DC's installed this worked without problems... ? but for the domain member. im getting ... ? net rpc rights list accounts -Uadministrator Enter administrator's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE net -S?servername rpc rights list accounts -Uadministrator Enter administrator's password: Could not connect to server rtd-mem-001 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE net -S servername.internal.domain.tld?rpc rights list accounts -Uadministrator Enter administrator's password: Could not connect to server servername.internal.domain.tld The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE and ofcourse setting the Se right didnt work ? net rpc rights grant 'MYDOMAIN\Domain Admins' SeDiskOperatorPrivilege -Uadministrator Enter administrator's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE ? so.. /etc/hosts ( checked ) /etc/nsswitch.conf ( checked ) /etc/resolv.conf (check) /var/log/samba/ all logs checked, no errors at all. kinit Administrator? ( checked ) ? /etc/samba/smb.conf ? [global] ? ?? workgroup =?INTERNAL ?? security = ADS ?? realm = INTERNAL.DOMAIN.TLD ? ?? idmap config *:backend = tdb ?? idmap config *:range = 500001-800000 ?? idmap config BAZRTD:backend = ad ?? idmap config BAZRTD:schema_mode = rfc2307 ?? idmap config BAZRTD:range = 10000-400000 ? ?? winbind nss info = rfc2307 ?? winbind trusted domains only = no ?? winbind use default domain = yes ?? #winbind enum users? = yes ?? #winbind enum groups = yes ? ?? template shell = /bin/bash ?? template homedir = /home/samba/DOMAIN/%USERNAME% ? ?? # For ACL support on member server ?? vfs objects = acl_xattr ?? map acl inherit = Yes ?? store dos attributes = Yes ? ?? # disable printing completely ?? load printers = no ?? printing = bsd ?? printcap name = /dev/null ?? disable spoolss = yes ? ? ? Anyone an idee? ? ? ?
On 01/04/14 16:00, L.P.H. van Belle wrote:> Hai, > > I have automated the install of my member server. > Followed the wiki : https://wiki.samba.org/index.php/Samba/Domain_Member > > Everything works nicely, but... .. read on.. ;-) > > ok, so wiki says: https://wiki.samba.org/index.php/Setup_and_configure_file_shares > > and now im at the point : SeDiskOperatorPrivilege > and .. for the DC's installed this worked without problems... > > but for the domain member. im getting ... > > net rpc rights list accounts -Uadministrator > Enter administrator's password: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > net -S servername rpc rights list accounts -Uadministrator > Enter administrator's password: > Could not connect to server rtd-mem-001 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > net -S servername.internal.domain.tld rpc rights list accounts -Uadministrator > Enter administrator's password: > Could not connect to server servername.internal.domain.tld > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > and ofcourse setting the Se right didnt work > > net rpc rights grant 'MYDOMAIN\Domain Admins' SeDiskOperatorPrivilege -Uadministrator > Enter administrator's password: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > > so.. > /etc/hosts ( checked ) > /etc/nsswitch.conf ( checked ) > /etc/resolv.conf (check) > /var/log/samba/ all logs checked, no errors at all. > kinit Administrator ( checked ) > > /etc/samba/smb.conf > > [global] > > workgroup = INTERNAL > security = ADS > realm = INTERNAL.DOMAIN.TLD > > idmap config *:backend = tdb > idmap config *:range = 500001-800000 > idmap config BAZRTD:backend = ad > idmap config BAZRTD:schema_mode = rfc2307 > idmap config BAZRTD:range = 10000-400000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > #winbind enum users = yes > #winbind enum groups = yes > > template shell = /bin/bash > template homedir = /home/samba/DOMAIN/%USERNAME% > > # For ACL support on member server > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > # disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > > > Anyone an idee? > > > >Hi Louis, it seems to be asking localhost: Could not connect to server 127.0.0.1 What have you got in /etc/resolv.conf & /etc/krb5.conf ?? Rowland
Hai Rowland, wel this is in it, is the same as for the 2 DC ( and are ips nameserver in resolv.conf ) resolv.conf search internal.domain.tld domain internal.domain.tld nameserver 192.168.1.1 nameserver 192.168.1.2 krb5.conf [libdefaults] dns_lookup_realm = true dns_lookup_kdc = true default_realm = INTERNAL.DOMAIN.TLD i dont get it. software installed ( from the script i run ) apt-get install sernet-samba sernet-samba-winbind fam acl attr quota -y samba set to classic. did kerberos setup. checked with klist -e joined the domain with : net ads join -U Administrator started up samba : /etc/init.d/sernet-samba-smbd start /etc/init.d/sernet-samba-nmbd start /etc/init.d/sernet-samba-winbindd start /etc/pam.d/samba # copy from /etc/pam.d/common-auth - authentication settings common to all services # auth sufficient pam_winbind.so auth [success=1 default=ignore] pam_unix.so nullok_secure use_first_pass auth requisite pam_deny.so auth required pam_permit.so # copy from /etc/pam.d/common-account - authorization settings common to all services # account sufficient pam_winbind.so account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so account requisite pam_deny.so account required pam_permit.so # copy from /etc/pam.d/common-session - session-related modules common to all services # session required pam_mkhomedir.so session required pam_winbind.so session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files wbinfo -u wbinfo -g is ok, i get the users and groups. getent passwd works ( if i set uid/gid in the unix tab of the users/group) so looks all fine to me... so whats going on.. i dont see it. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org] >Namens L.P.H. van Belle >Verzonden: dinsdag 1 april 2014 17:00 >Aan: samba at lists.samba.org >Onderwerp: [Samba] member joined, but... > >Hai, >? >I have automated the install of my member server. >Followed the wiki : >https://wiki.samba.org/index.php/Samba/Domain_Member? >? >Everything works nicely, but...?.. read on..? ;-) >? >ok, so wiki says: >https://wiki.samba.org/index.php/Setup_and_configure_file_shares? >? >and now im at the point : SeDiskOperatorPrivilege >and .. for the DC's installed this worked without problems... >? >but for the domain member. im getting ... >? >net rpc rights list accounts -Uadministrator >Enter administrator's password: >Could not connect to server 127.0.0.1 >The username or password was not correct. >Connection failed: NT_STATUS_LOGON_FAILURE > >net -S?servername rpc rights list accounts -Uadministrator >Enter administrator's password: >Could not connect to server rtd-mem-001 >The username or password was not correct. >Connection failed: NT_STATUS_LOGON_FAILURE > >net -S servername.internal.domain.tld?rpc rights list accounts >-Uadministrator >Enter administrator's password: >Could not connect to server servername.internal.domain.tld >The username or password was not correct. >Connection failed: NT_STATUS_LOGON_FAILURE > >and ofcourse setting the Se right didnt work >? >net rpc rights grant 'MYDOMAIN\Domain Admins' >SeDiskOperatorPrivilege -Uadministrator >Enter administrator's password: >Could not connect to server 127.0.0.1 >The username or password was not correct. >Connection failed: NT_STATUS_LOGON_FAILURE > >? >so.. >/etc/hosts ( checked ) >/etc/nsswitch.conf ( checked ) >/etc/resolv.conf (check) >/var/log/samba/ all logs checked, no errors at all. >kinit Administrator? ( checked ) >? >/etc/samba/smb.conf >? >[global] >? >?? workgroup =?INTERNAL >?? security = ADS >?? realm = INTERNAL.DOMAIN.TLD >? >?? idmap config *:backend = tdb >?? idmap config *:range = 500001-800000 >?? idmap config BAZRTD:backend = ad >?? idmap config BAZRTD:schema_mode = rfc2307 >?? idmap config BAZRTD:range = 10000-400000 >? >?? winbind nss info = rfc2307 >?? winbind trusted domains only = no >?? winbind use default domain = yes >?? #winbind enum users? = yes >?? #winbind enum groups = yes >? >?? template shell = /bin/bash >?? template homedir = /home/samba/DOMAIN/%USERNAME% >? >?? # For ACL support on member server >?? vfs objects = acl_xattr >?? map acl inherit = Yes >?? store dos attributes = Yes >? >?? # disable printing completely >?? load printers = no >?? printing = bsd >?? printcap name = /dev/null >?? disable spoolss = yes >? >? >? >Anyone an idee? >? >? >? > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
I really dont get it. :-( so if anyone has any tip for me please... i need this also for my print server... wbinfo -a "INTERNAL\Administrator%Mypassword" plaintext password authentication succeeded challenge/response password authentication succeeded net rpc group members users -U Administrator -d5 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: Logon failure Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE failed to make ipc connection: NT_STATUS_LOGON_FAILURE return code = -1 Opening cache file at /var/cache/samba/gencache.tdb Opening cache file at /var/cache/samba/gencache_notrans.tdb net -S rtd-dc1.internal.domain.tld rpc group members users -U INTERNAL\\Administrator -d5 Bind RPC Pipe: host rtd-dc1.internal.domain.tld auth_type 0, auth_level 1 rpc_api_pipe: host rtd-dc1.internal.domain.tld rpc_read_send: data_to_read: 52 check_bind_response: accepted! rpc_api_pipe: host rtd-dc1.internal.domain.tld rpc_read_send: data_to_read: 32 rpc_api_pipe: host rtd-dc1.internal.domain.tld rpc_read_send: data_to_read: 84 rpc_api_pipe: host rtd-dc1.internal.domain.tld rpc_read_send: data_to_read: 32 Bind RPC Pipe: host rtd-dc1.internal.domain.tld auth_type 0, auth_level 1 rpc_api_pipe: host rtd-dc1.internal.domain.tld rpc_read_send: data_to_read: 52 check_bind_response: accepted! rpc_api_pipe: host rtd-dc1.internal.domain.tld rpc_read_send: data_to_read: 32 rpc_api_pipe: host rtd-dc1.internal.domain.tld rpc_read_send: data_to_read: 32 rpc_api_pipe: host rtd-dc1.internal.domain.tld rpc_read_send: data_to_read: 44 rpc_api_pipe: host rtd-dc1.internal.domain.tld rpc_read_send: data_to_read: 32 rpc command function failed! (NT_STATUS_NO_SUCH_ALIAS) return code = -1 and the log of the member joining the AD Domain : Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: starting transaction on zone internal.domain.tld Apr 1 16:37:56 rtd-dc1 named[1993]: client 192.168.1.240#45737: updating zone 'internal.domain.tld/NONE': update unsuccessful: rtd-mem-001.internal.domain.tld/A: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: cancelling transaction on zone internal.domain.tld Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: starting transaction on zone internal.domain.tld Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: spnego update failed Apr 1 16:37:56 rtd-dc1 named[1993]: client 192.168.1.240#45737: updating zone 'internal.domain.tld/NONE': update failed: rejected by secure update (REFUSED) Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: cancelling transaction on zone internal.domain.tld Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: starting transaction on zone internal.domain.tld Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: allowing update of signer=RTD-MEM-001\$\@INTERNAL.DOMAIN.TLD name=rtd-mem-001.internal.domain.tld tcpaddr=192.168.1.240 type=A key=2c894e72-89f7-4a15-b76f-73cc99c998dd/160/0 Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: allowing update of signer=RTD-MEM-001\$\@INTERNAL.DOMAIN.TLD name=rtd-mem-001.internal.domain.tld tcpaddr=192.168.1.240 type=A key=2c894e72-89f7-4a15-b76f-73cc99c998dd/160/0 Apr 1 16:37:56 rtd-dc1 named[1993]: client 192.168.1.240#45737: updating zone 'internal.domain.tld/NONE': deleting rrset at 'rtd-mem-001.internal.domain.tld' A Apr 1 16:37:56 rtd-dc1 named[1993]: client 192.168.1.240#45737: updating zone 'internal.domain.tld/NONE': adding an RR at 'rtd-mem-001.internal.domain.tld' A Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: added rtd-mem-001.internal.domain.tld rtd-mem-001.internal.domain.tld.#0113600#011IN#011A#011192.168.1.240 Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: subtracted rdataset internal.domain.tld 'internal.domain.tld.#0113600#011IN#011SOA#011rtd-dc1.internal.domain.tld. hostmaster.internal.domain.tld. 12 900 600 86400 0' Apr 1 16:37:57 rtd-dc1 named[1993]: samba_dlz: added rdataset internal.domain.tld 'internal.domain.tld.#0113600#011IN#011SOA#011rtd-dc1.internal.domain.tld. hostmaster.internal.domain.tld. 13 900 600 86400 0' Apr 1 16:37:57 rtd-dc1 named[1993]: samba_dlz: committed transaction on zone internal.domain.tld>-----Oorspronkelijk bericht----- >Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org] >Namens L.P.H. van Belle >Verzonden: woensdag 2 april 2014 8:25 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] member joined, but... > >Hai Rowland, > >wel this is in it, is the same as for the 2 DC ( and are ips >nameserver in resolv.conf ) > >resolv.conf >search internal.domain.tld >domain internal.domain.tld >nameserver 192.168.1.1 >nameserver 192.168.1.2 > >krb5.conf >[libdefaults] > dns_lookup_realm = true > dns_lookup_kdc = true > default_realm = INTERNAL.DOMAIN.TLD > > >i dont get it. >software installed ( from the script i run ) >apt-get install sernet-samba sernet-samba-winbind fam acl attr quota -y >samba set to classic. >did kerberos setup. >checked with klist -e >joined the domain with : net ads join -U Administrator >started up samba : >/etc/init.d/sernet-samba-smbd start >/etc/init.d/sernet-samba-nmbd start >/etc/init.d/sernet-samba-winbindd start > >/etc/pam.d/samba ># copy from /etc/pam.d/common-auth - authentication >settings common to all services ># >auth sufficient pam_winbind.so >auth [success=1 default=ignore] pam_unix.so >nullok_secure use_first_pass >auth requisite pam_deny.so >auth required pam_permit.so > ># copy from /etc/pam.d/common-account - authorization >settings common to all services ># >account sufficient pam_winbind.so >account [success=1 new_authtok_reqd=done default=ignore] > pam_unix.so >account requisite pam_deny.so >account required pam_permit.so > ># copy from /etc/pam.d/common-session - session-related >modules common to all services ># >session required pam_mkhomedir.so >session required pam_winbind.so >session [default=1] pam_permit.so >session requisite pam_deny.so >session required pam_permit.so >session required pam_unix.so > >nsswitch.conf >passwd: compat winbind >group: compat winbind >shadow: compat > >hosts: files dns >networks: files > >protocols: db files >services: db files >ethers: db files >rpc: db files > > >wbinfo -u >wbinfo -g >is ok, i get the users and groups. > >getent passwd works ( if i set uid/gid in the unix tab of the >users/group) > >so looks all fine to me... so whats going on.. i dont see it. > >Greetz, > >Louis > >>-----Oorspronkelijk bericht----- >>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org] >>Namens L.P.H. van Belle >>Verzonden: dinsdag 1 april 2014 17:00 >>Aan: samba at lists.samba.org >>Onderwerp: [Samba] member joined, but... >> >>Hai, >>? >>I have automated the install of my member server. >>Followed the wiki : >>https://wiki.samba.org/index.php/Samba/Domain_Member? >>? >>Everything works nicely, but...?.. read on..? ;-) >>? >>ok, so wiki says: >>https://wiki.samba.org/index.php/Setup_and_configure_file_shares? >>? >>and now im at the point : SeDiskOperatorPrivilege >>and .. for the DC's installed this worked without problems... >>? >>but for the domain member. im getting ... >>? >>net rpc rights list accounts -Uadministrator >>Enter administrator's password: >>Could not connect to server 127.0.0.1 >>The username or password was not correct. >>Connection failed: NT_STATUS_LOGON_FAILURE >> >>net -S?servername rpc rights list accounts -Uadministrator >>Enter administrator's password: >>Could not connect to server rtd-mem-001 >>The username or password was not correct. >>Connection failed: NT_STATUS_LOGON_FAILURE >> >>net -S servername.internal.domain.tld?rpc rights list accounts >>-Uadministrator >>Enter administrator's password: >>Could not connect to server servername.internal.domain.tld >>The username or password was not correct. >>Connection failed: NT_STATUS_LOGON_FAILURE >> >>and ofcourse setting the Se right didnt work >>? >>net rpc rights grant 'MYDOMAIN\Domain Admins' >>SeDiskOperatorPrivilege -Uadministrator >>Enter administrator's password: >>Could not connect to server 127.0.0.1 >>The username or password was not correct. >>Connection failed: NT_STATUS_LOGON_FAILURE >> >>? >>so.. >>/etc/hosts ( checked ) >>/etc/nsswitch.conf ( checked ) >>/etc/resolv.conf (check) >>/var/log/samba/ all logs checked, no errors at all. >>kinit Administrator? ( checked ) >>? >>/etc/samba/smb.conf >>? >>[global] >>? >>?? workgroup =?INTERNAL >>?? security = ADS >>?? realm = INTERNAL.DOMAIN.TLD >>? >>?? idmap config *:backend = tdb >>?? idmap config *:range = 500001-800000 >>?? idmap config BAZRTD:backend = ad >>?? idmap config BAZRTD:schema_mode = rfc2307 >>?? idmap config BAZRTD:range = 10000-400000 >>? >>?? winbind nss info = rfc2307 >>?? winbind trusted domains only = no >>?? winbind use default domain = yes >>?? #winbind enum users? = yes >>?? #winbind enum groups = yes >>? >>?? template shell = /bin/bash >>?? template homedir = /home/samba/DOMAIN/%USERNAME% >>? >>?? # For ACL support on member server >>?? vfs objects = acl_xattr >>?? map acl inherit = Yes >>?? store dos attributes = Yes >>? >>?? # disable printing completely >>?? load printers = no >>?? printing = bsd >>?? printcap name = /dev/null >>?? disable spoolss = yes >>? >>? >>? >>Anyone an idee? >>? >>? >>? >> >>-- >>To unsubscribe from this list go to the following URL and read the >>instructions: https://lists.samba.org/mailman/options/samba >> >> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >