Now, more appropriately answering after the message. SEE BELOW, please. On 2015-01-09 07:24, L.P.H. van Belle wrote:> Hai, > > Not entiraly correct.. > > change : > >> dns-nameservers 208.67.222.222 <<<<<< have always struggled > > to > dns-search dtshrm.lan > dns-nameservers IP_OF_AD_DC > > and use : > net rpc rights grant "YOUR_DOMAINNAMEDomain Admins" SeDiskOperatorPrivilege -UAdministrator -S NAME_OF_MEMBERSERVER > > Hope this helps you on the way, im out of the office now, going on ski holiday. > Back in 9 days. > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- Van: bob at donelsontrophy.net [mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy Verzonden: vrijdag 9 januari 2015 14:04 Aan: SAMBA MailList Onderwerp: [Samba] getting NT_STATUS_LOGON_FAILURE I have been having issues with my W7 client "access is denied" to changing the security (user permissions) settings and have been posting regarding that issue yesterday. I have discovered that my "ads join member server" is not completely joined (I think.) I discovered a post from February 2014, by Louis "[Samba] member joined, but . . ." and ran some of his command line test strings and received similar results. Did some checking before moving forward: root at dtmember01:~# net ads testjoin Join is OK <<<<<<<<<<<< OK? Can't change permissions! root at dtmember01:~# net rpc rights list Enter root's password: Could not connect to server 127.0.0.1 <<<<<< why localhost? The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE <<<<<<< look root at dtmember01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.55 dtmember01.dtshrm.lan dtmember01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters root at dtmember01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.16.55 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 208.67.222.222 <<<<<< have always struggled with correct setting here dns-search dtshrm.lan Do I have anything set incorrectly? Then I ran these test string that were listed in the "member joined, but . . ." thread. root at dtmember01:~# net rpc rights list accounts -UadministratorEnter administrator's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE <<<<< hum-m-m-m!! root at dtmember01:~# net -S dtmember01 rpc rights list account -UadministratorEnter administrator's password: Could not connect to server dtmember01 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE root at dtmember01:~# net -S dtmember01.dtshrm.lan rpc rights list accounts -Uadministrator Enter administrator's password: BUILTINPrint Operators No privileges assigned BUILTINAccount Operators No privileges assigned BUILTINBackup Operators No privileges assigned BUILTINServer Operators No privileges assigned BUILTINAdministrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege <<<<<<<< <<<< hum-m-m SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege Everyone No privileges assigned root at dtmember01:~# net rpc rights grant 'DTDC01Domain Admins' SeDiskOperatorPrivilege -Uadministrator Enter administrator's password: Failed to grant privileges for DTDC01Domain Admins (NT_STATUS_ACCESS_DENIED) I tried to sort out the issues Louis was experiencing in his pam setup and realized that I had run his script against Debian 7.7.0 (newer than that available in February) and wondered if Debian (this version) pam files is the cause of the issue I am experiencing. Decided to post here and see what anyone thinks? Louis, are you there? -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com [1] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba [2] Rowland, As you can see Louis is on a holiday. (Enjoy the snow, Louis.) I changed per his suggestions and have discovered that my lone W7 client does not have internet access? Should the W7 client use the MEMBER server ip address for it's "Preferred DNS server" or the address of my DC? -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com [2] https://lists.samba.org/mailman/options/samba
On 09/01/15 14:34, Bob of Donelson Trophy wrote:> > > Now, more appropriately answering after the message. SEE BELOW, please. > > On 2015-01-09 07:24, L.P.H. van Belle wrote: > >> Hai, >> >> Not entiraly correct.. >> >> change : >> >>> dns-nameservers 208.67.222.222 <<<<<< have always struggled >> to >> dns-search dtshrm.lan >> dns-nameservers IP_OF_AD_DC >> >> and use : >> net rpc rights grant "YOUR_DOMAINNAMEDomain Admins" SeDiskOperatorPrivilege -UAdministrator -S NAME_OF_MEMBERSERVER >> >> Hope this helps you on the way, im out of the office now, going on ski holiday. >> Back in 9 days. >> >> Greetz, >> >> Louis >> >>> -----Oorspronkelijk bericht----- Van: bob at donelsontrophy.net [mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy Verzonden: vrijdag 9 januari 2015 14:04 Aan: SAMBA MailList Onderwerp: [Samba] getting NT_STATUS_LOGON_FAILURE I have been having issues with my W7 client "access is denied" to changing the security (user permissions) settings and have been posting regarding that issue yesterday. I have discovered that my "ads join member server" is not completely joined (I think.) I discovered a post from February 2014, by Louis "[Samba] member joined, but . . ." and ran some of his command line test strings and received similar results. Did some checking before moving forward: root at dtmember01:~# net ads testjoin Join is OK <<<<<<<<<<<< OK? Can't change permissions! root at dtmember01:~# net rpc rights list Enter root's password: Could not connect to server 127.0.0.1 <<<<<< why localhost? The username or password was not correct. Connection failed: NT_STATUS_LOGON > _FAILURE > <<<<<<< look root at dtmember01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.55 dtmember01.dtshrm.lan dtmember01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters root at dtmember01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.16.55 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 208.67.222.222 <<<<<< have always struggled with correct setting here dns-search dtshrm.lan Do I have anything set incorrectly? Then I ran these test string that were listed in the "member joined, but . . ." > thread. > root at dtmember01:~# net rpc rights list accounts -UadministratorEnter administrator's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE <<<<< hum-m-m-m!! root at dtmember01:~# net -S dtmember01 rpc rights list account -UadministratorEnter administrator's password: Could not connect to server dtmember01 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE root at dtmember01:~# net -S dtmember01.dtshrm.lan rpc rights list accounts -Uadministrator Enter administrator's password: BUILTINPrint Operators No privileges assigned BUILTINAccount Operators No privileges assigned BUILTINBackup Operators No privileges assigned BUILTINServer Operators No privileges assigned BUILTINAdministrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege <<<<<<<< > <<<< > hum-m-m SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege Everyone No privileges assigned root at dtmember01:~# net rpc rights grant 'DTDC01Domain Admins' SeDiskOperatorPrivilege -Uadministrator Enter administrator's password: Failed to grant privileges for DTDC01Domain Admins (NT_STATUS_ACCESS_DENIED) I tried to sort out the issues Louis was experiencing in his pam setup and realized that I had run his script against Debian 7.7.0 (newer than that available in February) and wondered if Debian (this version) pam files is the cause of the issue I am experiencing. Decided to post here and see what anyone thinks? Louis, are you > there? > -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com [1] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba [2] > > Rowland, > > As you can see Louis is on a holiday. (Enjoy the snow, Louis.)Yes, I noticed he was going downhill leg-breaking :-D> > I changed per his suggestions and have discovered that my lone W7 client > does not have internet access? > > Should the W7 client use the MEMBER server ip address for it's > "Preferred DNS server" or the address of my DC?You need to point your clients at the DC, this is running a DNS server which should know about ALL machines in AD. I don't know if you noticed, but somebody else is having similar problems, can you check if you have a file 'libnss_winbind.so.2' Rowland
On 2015-01-09 08:44, Rowland Penny wrote:> On 09/01/15 14:34, Bob of Donelson Trophy wrote: > Now, more appropriately answering after the message. SEE BELOW, please. On 2015-01-09 07:24, L.P.H. van Belle wrote: Hai, Not entiraly correct.. change : dns-nameservers 208.67.222.222 <<<<<< have always struggled to dns-search dtshrm.lan dns-nameservers IP_OF_AD_DC and use : net rpc rights grant "YOUR_DOMAINNAMEDomain Admins" SeDiskOperatorPrivilege -UAdministrator -S NAME_OF_MEMBERSERVER Hope this helps you on the way, im out of the office now, going on ski holiday. Back in 9 days. Greetz, Louis -----Oorspronkelijk bericht----- Van: bob at donelsontrophy.net [mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy Verzonden: vrijdag 9 januari 2015 14:04 Aan: SAMBA MailList Onderwerp: [Samba] getting NT_STATUS_LOGON_FAILURE I have been having issues with my W7 client "access is denied" to changing the security (user permissions) settings and have been posting regarding that issue yesterday. I have discovered that my "ads join member server" is not completely joined (I think.) I discovered a post from February 2014, by Louis "[Samba] member joined, but . . ." and ran some of his command line test strings and received similar results. Did some checking before moving forward: root at dtmember01:~# net ads testjoin Join is OK <<<<<<<<<<<< OK? Can't change permissions! root at dtmember01:~# net rpc rights list Enter root's password: Could not connect to server 127.0.0.1 <<<<<< why localhost? The username or password was not correct. Connection failed: NT_STATUS_LOGO N> _FAILURE <<<<<<< look root at dtmember01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.55 dtmember01.dtshrm.lan dtmember01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters root at dtmember01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.16.55 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 208.67.222.222 <<<<<< have always struggled with correct setting here dns-search dtshrm.lan Do I have anything set incorrectly? Then I ran these test string that were listed in the "member joined,but . . ." thread. root at dtmember01:~# net rpc rights list accounts -UadministratorEnter administrator's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE <<<<< hum-m-m-m!! root at dtmember01:~# net -S dtmember01 rpc rights list account -UadministratorEnter administrator's password: Could not connect to server dtmember01 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE root at dtmember01:~# net -S dtmember01.dtshrm.lan rpc rights list accounts -Uadministrator Enter administrator's password: BUILTINPrint Operators No privileges assigned BUILTINAccount Operators No privileges assigned BUILTINBackup Operators No privileges assigned BUILTINServer Operators No privileges assigned BUILTINAdministrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivile ge <<<<<< <<> <<<< hum-m-m SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege Everyone No privileges assigned root at dtmember01:~# net rpc rights grant 'DTDC01Domain Admins' SeDiskOperatorPrivilege -Uadministrator Enter administrator's password: Failed to grant privileges for DTDC01Domain Admins (NT_STATUS_ACCESS_DENIED) I tried to sort out the issues Louis was experiencing in his pam setup and realized that I had run his script against Debian 7.7.0 (newer than that available in February) and wondered if Debian (this version) pam files is the cause of the issue I am experiencing. Decided to post here and see what anyone thinks? Louis, are yo u> there? -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] [1 [1]] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com [1] [1 [1]] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba [2] [2] Rowland, As you can see Louis is on a holiday. (Enjoy the snow, Louis.)Yes, I noticed he was going downhill leg-breaking :-D> I changed per his suggestions and have discovered that my lone W7 client does not have internet access? Should the W7 client use the MEMBER server ip address for it's "Preferred DNS server" or the address of my DC?You need to point your clients at the DC, this is running a DNS server which should know about ALL machines in AD. I don't know if you noticed, but somebody else is having similar problems, can you check if you have a file 'libnss_winbind.so.2' Rowland W7 client "Preferred DNS server" is set to my DC. My DC looks like this: root at dtdc01:~# cat /etc/resolv.conf search dtshrm.local domain dtshrm.local nameserver 192.168.16.54 root at dtdc01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.16.54 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 208.67.222.222 dns-search dtshrm.local root at dtdc01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.54 dtdc01.dtshrm.lan dtdc01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters Should the /etc/resolv.conf be resolving to itself? (I chuckled at you "panic" comment. lol) Fix this first, checking for 'libnss_winbind.so.2' is next on my list for this morning. -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com [2] https://lists.samba.org/mailman/options/samba