I have been having issues with my W7 client "access is denied" to changing the security (user permissions) settings and have been posting regarding that issue yesterday. I have discovered that my "ads join member server" is not completely joined (I think.) I discovered a post from February 2014, by Louis "[Samba] member joined, but . . ." and ran some of his command line test strings and received similar results. Did some checking before moving forward: root at dtmember01:~# net ads testjoin Join is OK <<<<<<<<<<<< OK? Can't change permissions! root at dtmember01:~# net rpc rights list Enter root's password: Could not connect to server 127.0.0.1 <<<<<< why localhost? The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE <<<<<<< look root at dtmember01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.55 dtmember01.dtshrm.lan dtmember01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters root at dtmember01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.16.55 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 208.67.222.222 <<<<<< have always struggled with correct setting here dns-search dtshrm.lan Do I have anything set incorrectly? Then I ran these test string that were listed in the "member joined, but . . ." thread. root at dtmember01:~# net rpc rights list accounts -UadministratorEnter administrator's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE <<<<< hum-m-m-m!! root at dtmember01:~# net -S dtmember01 rpc rights list account -UadministratorEnter administrator's password: Could not connect to server dtmember01 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE root at dtmember01:~# net -S dtmember01.dtshrm.lan rpc rights list accounts -Uadministrator Enter administrator's password: BUILTINPrint Operators No privileges assigned BUILTINAccount Operators No privileges assigned BUILTINBackup Operators No privileges assigned BUILTINServer Operators No privileges assigned BUILTINAdministrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege <<<<<<<<<<<< hum-m-m SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege Everyone No privileges assigned root at dtmember01:~# net rpc rights grant 'DTDC01Domain Admins' SeDiskOperatorPrivilege -Uadministrator Enter administrator's password: Failed to grant privileges for DTDC01Domain Admins (NT_STATUS_ACCESS_DENIED) I tried to sort out the issues Louis was experiencing in his pam setup and realized that I had run his script against Debian 7.7.0 (newer than that available in February) and wondered if Debian (this version) pam files is the cause of the issue I am experiencing. Decided to post here and see what anyone thinks? Louis, are you there? -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com
On 09/01/15 13:04, Bob of Donelson Trophy wrote:> > > I have been having issues with my W7 client "access is denied" to > changing the security (user permissions) settings and have been posting > regarding that issue yesterday. > > I have discovered that my "ads join member server" is not completely > joined (I think.) > > I discovered a post from February 2014, by Louis "[Samba] member joined, > but . . ." and ran some of his command line test strings and received > similar results. Did some checking before moving forward: > > root at dtmember01:~# net ads testjoin > Join is OK <<<<<<<<<<<< OK? Can't change permissions! > root at dtmember01:~# net rpc rights list > Enter root's password: > Could not connect to server 127.0.0.1 <<<<<< why localhost?Hi, you can stop panicking :-) You are getting 'localhost' because you are running the command on, well, localhost :-D Try adding '-I address of target server' to the command. Rowland> The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE <<<<<<< look > root at dtmember01:~# cat /etc/hosts > 127.0.0.1 localhost > 192.168.16.55 dtmember01.dtshrm.lan dtmember01 > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > root at dtmember01:~# cat /etc/network/interfaces > # This file describes the network interfaces available on your system > # and how to activate them. For more information, see interfaces(5). > > # The loopback network interface > auto lo > iface lo inet loopback > > # The primary network interface > allow-hotplug eth0 > iface eth0 inet static > address 192.168.16.55 > netmask 255.255.255.0 > network 192.168.16.0 > broadcast 192.168.16.255 > gateway 192.168.16.106 > # dns-* options are implemented by the resolvconf package, if installed > dns-nameservers 208.67.222.222 <<<<<< have always struggled with correct > setting here > dns-search dtshrm.lan > > Do I have anything set incorrectly? > > Then I ran these test string that were listed in the "member joined, but > . . ." thread. > > root at dtmember01:~# net rpc rights list accounts -UadministratorEnter > administrator's password: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE <<<<< hum-m-m-m!! > root at dtmember01:~# net -S dtmember01 rpc rights list account > -UadministratorEnter administrator's password: > Could not connect to server dtmember01 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > root at dtmember01:~# net -S dtmember01.dtshrm.lan rpc rights list accounts > -Uadministrator > Enter administrator's password: > BUILTINPrint Operators > No privileges assigned > > BUILTINAccount Operators > No privileges assigned > > BUILTINBackup Operators > No privileges assigned > > BUILTINServer Operators > No privileges assigned > > BUILTINAdministrators > SeMachineAccountPrivilege > SeTakeOwnershipPrivilege > SeBackupPrivilege > SeRestorePrivilege > SeRemoteShutdownPrivilege > SePrintOperatorPrivilege > SeAddUsersPrivilege > SeDiskOperatorPrivilege <<<<<<<<<<<< hum-m-m > SeSecurityPrivilege > SeSystemtimePrivilege > SeShutdownPrivilege > SeDebugPrivilege > SeSystemEnvironmentPrivilege > SeSystemProfilePrivilege > SeProfileSingleProcessPrivilege > SeIncreaseBasePriorityPrivilege > SeLoadDriverPrivilege > SeCreatePagefilePrivilege > SeIncreaseQuotaPrivilege > SeChangeNotifyPrivilege > SeUndockPrivilege > SeManageVolumePrivilege > SeImpersonatePrivilege > SeCreateGlobalPrivilege > SeEnableDelegationPrivilege > > Everyone > No privileges assigned > > root at dtmember01:~# net rpc rights grant 'DTDC01Domain Admins' > SeDiskOperatorPrivilege -Uadministrator > Enter administrator's password: > Failed to grant privileges for DTDC01Domain Admins > (NT_STATUS_ACCESS_DENIED) > > I tried to sort out the issues Louis was experiencing in his pam setup > and realized that I had run his script against Debian 7.7.0 (newer than > that available in February) and wondered if Debian (this version) pam > files is the cause of the issue I am experiencing. > > Decided to post here and see what anyone thinks? Louis, are you there?
Hai, Not entiraly correct.. change :>dns-nameservers 208.67.222.222 <<<<<< have always struggledto dns-search dtshrm.lan dns-nameservers IP_OF_AD_DC and use : net rpc rights grant "YOUR_DOMAINNAME\Domain Admins" SeDiskOperatorPrivilege -UAdministrator -S NAME_OF_MEMBERSERVER Hope this helps you on the way, im out of the office now, going on ski holiday. Back in 9 days. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: bob at donelsontrophy.net >[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy >Verzonden: vrijdag 9 januari 2015 14:04 >Aan: SAMBA MailList >Onderwerp: [Samba] getting NT_STATUS_LOGON_FAILURE > > > >I have been having issues with my W7 client "access is denied" to >changing the security (user permissions) settings and have been posting >regarding that issue yesterday. > >I have discovered that my "ads join member server" is not completely >joined (I think.) > >I discovered a post from February 2014, by Louis "[Samba] >member joined, >but . . ." and ran some of his command line test strings and received >similar results. Did some checking before moving forward: > >root at dtmember01:~# net ads testjoin >Join is OK <<<<<<<<<<<< OK? Can't change permissions! >root at dtmember01:~# net rpc rights list >Enter root's password: >Could not connect to server 127.0.0.1 <<<<<< why localhost? >The username or password was not correct. >Connection failed: NT_STATUS_LOGON_FAILURE <<<<<<< look >root at dtmember01:~# cat /etc/hosts >127.0.0.1 localhost >192.168.16.55 dtmember01.dtshrm.lan dtmember01 > ># The following lines are desirable for IPv6 capable hosts >::1 localhost ip6-localhost ip6-loopback >ff02::1 ip6-allnodes >ff02::2 ip6-allrouters >root at dtmember01:~# cat /etc/network/interfaces ># This file describes the network interfaces available on your system ># and how to activate them. For more information, see interfaces(5). > ># The loopback network interface >auto lo >iface lo inet loopback > ># The primary network interface >allow-hotplug eth0 >iface eth0 inet static >address 192.168.16.55 >netmask 255.255.255.0 >network 192.168.16.0 >broadcast 192.168.16.255 >gateway 192.168.16.106 ># dns-* options are implemented by the resolvconf package, if installed >dns-nameservers 208.67.222.222 <<<<<< have always struggled >with correct >setting here >dns-search dtshrm.lan > >Do I have anything set incorrectly? > >Then I ran these test string that were listed in the "member >joined, but >. . ." thread. > >root at dtmember01:~# net rpc rights list accounts -UadministratorEnter >administrator's password: >Could not connect to server 127.0.0.1 >The username or password was not correct. >Connection failed: NT_STATUS_LOGON_FAILURE <<<<< hum-m-m-m!! >root at dtmember01:~# net -S dtmember01 rpc rights list account >-UadministratorEnter administrator's password: >Could not connect to server dtmember01 >The username or password was not correct. >Connection failed: NT_STATUS_LOGON_FAILURE > >root at dtmember01:~# net -S dtmember01.dtshrm.lan rpc rights >list accounts >-Uadministrator >Enter administrator's password: >BUILTINPrint Operators >No privileges assigned > >BUILTINAccount Operators >No privileges assigned > >BUILTINBackup Operators >No privileges assigned > >BUILTINServer Operators >No privileges assigned > >BUILTINAdministrators >SeMachineAccountPrivilege >SeTakeOwnershipPrivilege >SeBackupPrivilege >SeRestorePrivilege >SeRemoteShutdownPrivilege >SePrintOperatorPrivilege >SeAddUsersPrivilege >SeDiskOperatorPrivilege <<<<<<<<<<<< hum-m-m >SeSecurityPrivilege >SeSystemtimePrivilege >SeShutdownPrivilege >SeDebugPrivilege >SeSystemEnvironmentPrivilege >SeSystemProfilePrivilege >SeProfileSingleProcessPrivilege >SeIncreaseBasePriorityPrivilege >SeLoadDriverPrivilege >SeCreatePagefilePrivilege >SeIncreaseQuotaPrivilege >SeChangeNotifyPrivilege >SeUndockPrivilege >SeManageVolumePrivilege >SeImpersonatePrivilege >SeCreateGlobalPrivilege >SeEnableDelegationPrivilege > >Everyone >No privileges assigned > >root at dtmember01:~# net rpc rights grant 'DTDC01Domain Admins' >SeDiskOperatorPrivilege -Uadministrator >Enter administrator's password: >Failed to grant privileges for DTDC01Domain Admins >(NT_STATUS_ACCESS_DENIED) > >I tried to sort out the issues Louis was experiencing in his pam setup >and realized that I had run his script against Debian 7.7.0 (newer than >that available in February) and wondered if Debian (this version) pam >files is the cause of the issue I am experiencing. > >Decided to post here and see what anyone thinks? Louis, are you there? >-- >------------------------- > >Bob Wooden of Donelson Trophy > >615.885.2846 (main) >www.donelsontrophy.com [1] > >"Everyone deserves an award!!" > > >Links: >------ >[1] http://www.donelsontrophy.com >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Now, more appropriately answering after the message. SEE BELOW, please. On 2015-01-09 07:24, L.P.H. van Belle wrote:> Hai, > > Not entiraly correct.. > > change : > >> dns-nameservers 208.67.222.222 <<<<<< have always struggled > > to > dns-search dtshrm.lan > dns-nameservers IP_OF_AD_DC > > and use : > net rpc rights grant "YOUR_DOMAINNAMEDomain Admins" SeDiskOperatorPrivilege -UAdministrator -S NAME_OF_MEMBERSERVER > > Hope this helps you on the way, im out of the office now, going on ski holiday. > Back in 9 days. > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- Van: bob at donelsontrophy.net [mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy Verzonden: vrijdag 9 januari 2015 14:04 Aan: SAMBA MailList Onderwerp: [Samba] getting NT_STATUS_LOGON_FAILURE I have been having issues with my W7 client "access is denied" to changing the security (user permissions) settings and have been posting regarding that issue yesterday. I have discovered that my "ads join member server" is not completely joined (I think.) I discovered a post from February 2014, by Louis "[Samba] member joined, but . . ." and ran some of his command line test strings and received similar results. Did some checking before moving forward: root at dtmember01:~# net ads testjoin Join is OK <<<<<<<<<<<< OK? Can't change permissions! root at dtmember01:~# net rpc rights list Enter root's password: Could not connect to server 127.0.0.1 <<<<<< why localhost? The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE <<<<<<< look root at dtmember01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.55 dtmember01.dtshrm.lan dtmember01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters root at dtmember01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.16.55 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 208.67.222.222 <<<<<< have always struggled with correct setting here dns-search dtshrm.lan Do I have anything set incorrectly? Then I ran these test string that were listed in the "member joined, but . . ." thread. root at dtmember01:~# net rpc rights list accounts -UadministratorEnter administrator's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE <<<<< hum-m-m-m!! root at dtmember01:~# net -S dtmember01 rpc rights list account -UadministratorEnter administrator's password: Could not connect to server dtmember01 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE root at dtmember01:~# net -S dtmember01.dtshrm.lan rpc rights list accounts -Uadministrator Enter administrator's password: BUILTINPrint Operators No privileges assigned BUILTINAccount Operators No privileges assigned BUILTINBackup Operators No privileges assigned BUILTINServer Operators No privileges assigned BUILTINAdministrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege <<<<<<<< <<<< hum-m-m SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege Everyone No privileges assigned root at dtmember01:~# net rpc rights grant 'DTDC01Domain Admins' SeDiskOperatorPrivilege -Uadministrator Enter administrator's password: Failed to grant privileges for DTDC01Domain Admins (NT_STATUS_ACCESS_DENIED) I tried to sort out the issues Louis was experiencing in his pam setup and realized that I had run his script against Debian 7.7.0 (newer than that available in February) and wondered if Debian (this version) pam files is the cause of the issue I am experiencing. Decided to post here and see what anyone thinks? Louis, are you there? -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com [1] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba [2] Rowland, As you can see Louis is on a holiday. (Enjoy the snow, Louis.) I changed per his suggestions and have discovered that my lone W7 client does not have internet access? Should the W7 client use the MEMBER server ip address for it's "Preferred DNS server" or the address of my DC? -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com [2] https://lists.samba.org/mailman/options/samba