On 2015-01-09 08:44, Rowland Penny wrote:> On 09/01/15 14:34, Bob of Donelson Trophy wrote: > Now, more appropriately answering after the message. SEE BELOW, please. On 2015-01-09 07:24, L.P.H. van Belle wrote: Hai, Not entiraly correct.. change : dns-nameservers 208.67.222.222 <<<<<< have always struggled to dns-search dtshrm.lan dns-nameservers IP_OF_AD_DC and use : net rpc rights grant "YOUR_DOMAINNAMEDomain Admins" SeDiskOperatorPrivilege -UAdministrator -S NAME_OF_MEMBERSERVER Hope this helps you on the way, im out of the office now, going on ski holiday. Back in 9 days. Greetz, Louis -----Oorspronkelijk bericht----- Van: bob at donelsontrophy.net [mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy Verzonden: vrijdag 9 januari 2015 14:04 Aan: SAMBA MailList Onderwerp: [Samba] getting NT_STATUS_LOGON_FAILURE I have been having issues with my W7 client "access is denied" to changing the security (user permissions) settings and have been posting regarding that issue yesterday. I have discovered that my "ads join member server" is not completely joined (I think.) I discovered a post from February 2014, by Louis "[Samba] member joined, but . . ." and ran some of his command line test strings and received similar results. Did some checking before moving forward: root at dtmember01:~# net ads testjoin Join is OK <<<<<<<<<<<< OK? Can't change permissions! root at dtmember01:~# net rpc rights list Enter root's password: Could not connect to server 127.0.0.1 <<<<<< why localhost? The username or password was not correct. Connection failed: NT_STATUS_LOGO N> _FAILURE <<<<<<< look root at dtmember01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.55 dtmember01.dtshrm.lan dtmember01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters root at dtmember01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.16.55 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 208.67.222.222 <<<<<< have always struggled with correct setting here dns-search dtshrm.lan Do I have anything set incorrectly? Then I ran these test string that were listed in the "member joined,but . . ." thread. root at dtmember01:~# net rpc rights list accounts -UadministratorEnter administrator's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE <<<<< hum-m-m-m!! root at dtmember01:~# net -S dtmember01 rpc rights list account -UadministratorEnter administrator's password: Could not connect to server dtmember01 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE root at dtmember01:~# net -S dtmember01.dtshrm.lan rpc rights list accounts -Uadministrator Enter administrator's password: BUILTINPrint Operators No privileges assigned BUILTINAccount Operators No privileges assigned BUILTINBackup Operators No privileges assigned BUILTINServer Operators No privileges assigned BUILTINAdministrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivile ge <<<<<< <<> <<<< hum-m-m SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege Everyone No privileges assigned root at dtmember01:~# net rpc rights grant 'DTDC01Domain Admins' SeDiskOperatorPrivilege -Uadministrator Enter administrator's password: Failed to grant privileges for DTDC01Domain Admins (NT_STATUS_ACCESS_DENIED) I tried to sort out the issues Louis was experiencing in his pam setup and realized that I had run his script against Debian 7.7.0 (newer than that available in February) and wondered if Debian (this version) pam files is the cause of the issue I am experiencing. Decided to post here and see what anyone thinks? Louis, are yo u> there? -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] [1 [1]] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com [1] [1 [1]] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba [2] [2] Rowland, As you can see Louis is on a holiday. (Enjoy the snow, Louis.)Yes, I noticed he was going downhill leg-breaking :-D> I changed per his suggestions and have discovered that my lone W7 client does not have internet access? Should the W7 client use the MEMBER server ip address for it's "Preferred DNS server" or the address of my DC?You need to point your clients at the DC, this is running a DNS server which should know about ALL machines in AD. I don't know if you noticed, but somebody else is having similar problems, can you check if you have a file 'libnss_winbind.so.2' Rowland W7 client "Preferred DNS server" is set to my DC. My DC looks like this: root at dtdc01:~# cat /etc/resolv.conf search dtshrm.local domain dtshrm.local nameserver 192.168.16.54 root at dtdc01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.16.54 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 208.67.222.222 dns-search dtshrm.local root at dtdc01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.54 dtdc01.dtshrm.lan dtdc01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters Should the /etc/resolv.conf be resolving to itself? (I chuckled at you "panic" comment. lol) Fix this first, checking for 'libnss_winbind.so.2' is next on my list for this morning. -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com [2] https://lists.samba.org/mailman/options/samba
On 09/01/15 15:00, Bob of Donelson Trophy wrote:> On 2015-01-09 08:44, Rowland Penny wrote: > W7 client "Preferred DNS server" is set to my DC. > My DC looks like this: root at dtdc01:~# cat /etc/resolv.conf search > dtshrm.local domain dtshrm.local nameserver 192.168.16.54 > root at dtdc01:~# cat /etc/network/interfaces # This file describes the > network interfaces available on your system # and how to activate > them. For more information, see interfaces(5). # The loopback network > interface auto lo iface lo inet loopback # The primary network > interface allow-hotplug eth0 iface eth0 inet static address > 192.168.16.54 netmask 255.255.255.0 network 192.168.16.0 broadcast > 192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented > by the resolvconf package, if installed dns-nameservers 208.67.222.222 > dns-search dtshrm.local root at dtdc01:~# cat /etc/hosts 127.0.0.1 > localhost 192.168.16.54 dtdc01.dtshrm.lan dtdc01 # The following lines > are desirable for IPv6 capable hosts ::1 localhost ip6-localhost > ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters Should the > /etc/resolv.conf be resolving to itself? (I chuckled at you "panic" > comment. lol) Fix this first, checking for 'libnss_winbind.so.2' is > next on my list for this morning.Firstly, what email client are you using ? it appears to be doing weird things :-) Don't bother about libnss_winbind.so.2, you have it, what you don't have is the pam config file that automatically sets pam. This is my /etc/resolv.conf from my DC: nameserver 127.0.0.1 search example.lan It needs to point to itself and you do not need the domain line. domain & search are mutually exclusive and the last one wins. This is my /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.0.2 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1 I also turn off NetworkManager and stop it from starting at boot. When you installed your member server via Louis's script, did you alter this line: ENABLEPAMAUTH=0 Rowland
On 2015-01-09 10:23, Rowland Penny wrote:> On 09/01/15 15:47, Bob of Donelson Trophy wrote: > > On 2015-01-09 09:27, Rowland Penny wrote: > > On 09/01/15 15:00, Bob of Donelson Trophy wrote: > On 2015-01-09 08:44, Rowland Penny wrote: W7 client "Preferred DNS server" is set to my DC. My DC looks like this: root at dtdc01:~# cat /etc/resolv.conf search dtshrm.local domain dtshrm.local nameserver 192.168.16.54 root at dtdc01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.16.54 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 208.67.222.222 dns-search dtshrm.local root at dtdc01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.54 dtdc01.dtshrm.lan dtdc01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters Should the /etc/resolv.conf be resolving to itself? (I chuckled at you "panic" comment. lol) Fix this first, checking for 'libnss_winbind.so.2' is next on my list for this morning.> > Firstly, what email client are you using ? it appears to be doing weird things :-) > > Don't bother about libnss_winbind.so.2, you have it, what you don't have is the pam config file that automatically sets pam. > > This is my /etc/resolv.conf from my DC: > > nameserver 127.0.0.1 > search example.lan > > It needs to point to itself and you do not need the domain line. domain & search are mutually exclusive and the last one wins. > > This is my /etc/network/interfaces > > # This file describes the network interfaces available on your system > # and how to activate them. For more information, see interfaces(5). > > # The loopback network interface > auto lo > iface lo inet loopback > > auto eth0 > iface eth0 inet static > address 192.168.0.2 > netmask 255.255.255.0 > network 192.168.0.0 > broadcast 192.168.0.255 > gateway 192.168.0.1 > > I also turn off NetworkManager and stop it from starting at boot. > > When you installed your member server via Louis's script, did you alter this line: > > ENABLEPAMAUTH=0 > > RowlandEmail client - Louis' email came back looking weird. Don't know about that. How do I "turn off NetworkManager" in Debian? (I didn't think it was on a server non-gui install?) Ah, didn't know that, you do not have it running.> And I have not altered any PAM lines so I have not changes ENABLEPAMAUTH=0 however, where is it so I can go check it?It is in Louis's script, line 100 and if you change it to 1 it runs a block of code starting at line 349, this modifies /etc/pam.d/samba. This is not what happens if you install libnss-winbind & libpam-winbind with the debian samba4 packages, unfortunately you cannot install these with the sernet packages, but most of the contents of those two packages are in sernet-samba-libs, except for the pam config file: /usr/share/pam-configs/winbind Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end default=ignore] pam_winbind.so use_authtok try_first_pass Password-Initial: [success=end default=ignore] pam_winbind.so Session-Type: Additional Session: optional pam_winbind.so You may have to run 'pam-auth-update' and select winbind. Rowland> -- > > ------------------------- > > Bob Wooden of Donelson Trophy > > 615.885.2846 (main) > www.donelsontrophy.com [1] > > "Everyone deserves an award!!"Okay, I have resolved my (stupid Windows) "No internet access" issue on my lone W7 client. Moving forward with resolving my "getting NT_STATUS_LOGON_FAILURE" issue. I went to my (modified for me) script and I had "ENABLEPAMAUTH=0" and "ENABLEPAMSSH=0". Maybe I should simply restore my member server with 'pre-script backup' and re-run the script with these two options enabled (set to 1)? Should I enable both or just the "ENABLEAUTH"? Or can we (with your help, I hope) correct this issue? -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com
On 09/01/15 17:26, Bob of Donelson Trophy wrote:> > > On 2015-01-09 10:23, Rowland Penny wrote: > >> On 09/01/15 15:47, Bob of Donelson Trophy wrote: >> >> On 2015-01-09 09:27, Rowland Penny wrote: >> >> On 09/01/15 15:00, Bob of Donelson Trophy wrote: >> On 2015-01-09 08:44, Rowland Penny wrote: W7 client "Preferred DNS server" is set to my DC. My DC looks like this: root at dtdc01:~# cat /etc/resolv.conf search dtshrm.local domain dtshrm.local nameserver 192.168.16.54 root at dtdc01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.16.54 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 208.67.222.222 dns-search dtshrm.local root at dtdc01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.54 dtdc01.dtshrm.lan dtdc01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff > 02::2 > ip6-allrouters Should the /etc/resolv.conf be resolving to itself? (I chuckled at you "panic" comment. lol) Fix this first, checking for 'libnss_winbind.so.2' is next on my list for this morning. >> Firstly, what email client are you using ? it appears to be doing weird things :-) >> >> Don't bother about libnss_winbind.so.2, you have it, what you don't have is the pam config file that automatically sets pam. >> >> This is my /etc/resolv.conf from my DC: >> >> nameserver 127.0.0.1 >> search example.lan >> >> It needs to point to itself and you do not need the domain line. domain & search are mutually exclusive and the last one wins. >> >> This is my /etc/network/interfaces >> >> # This file describes the network interfaces available on your system >> # and how to activate them. For more information, see interfaces(5). >> >> # The loopback network interface >> auto lo >> iface lo inet loopback >> >> auto eth0 >> iface eth0 inet static >> address 192.168.0.2 >> netmask 255.255.255.0 >> network 192.168.0.0 >> broadcast 192.168.0.255 >> gateway 192.168.0.1 >> >> I also turn off NetworkManager and stop it from starting at boot. >> >> When you installed your member server via Louis's script, did you alter this line: >> >> ENABLEPAMAUTH=0 >> >> Rowland > Email client - Louis' email came back looking weird. Don't know about > that. > > How do I "turn off NetworkManager" in Debian? (I didn't think it was on > a server non-gui install?) > Ah, didn't know that, you do not have it running. > >> And I have not altered any PAM lines so I have not changes ENABLEPAMAUTH=0 however, where is it so I can go check it? > It is in Louis's script, line 100 and if you change it to 1 it runs a > block of code starting at line 349, this modifies /etc/pam.d/samba. > This is not what happens if you install libnss-winbind & libpam-winbind > with the debian samba4 packages, unfortunately you cannot install these > with the sernet packages, but most of the contents of those two packages > are in sernet-samba-libs, except for the pam config file: > > /usr/share/pam-configs/winbind > > Name: Winbind NT/Active Directory authentication > Default: yes > Priority: 192 > Auth-Type: Primary > Auth: > [success=end default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login try_first_pass > Auth-Initial: > [success=end default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login > Account-Type: Primary > Account: > [success=end new_authtok_reqd=done default=ignore] pam_winbind.so > Password-Type: Primary > Password: > [success=end default=ignore] pam_winbind.so use_authtok try_first_pass > Password-Initial: > [success=end default=ignore] pam_winbind.so > Session-Type: Additional > Session: > optional pam_winbind.so > > You may have to run 'pam-auth-update' and select winbind. > > Rowland > >> -- >> >> ------------------------- >> >> Bob Wooden of Donelson Trophy >> >> 615.885.2846 (main) >> www.donelsontrophy.com [1] >> >> "Everyone deserves an award!!" > Okay, I have resolved my (stupid Windows) "No internet access" issue on > my lone W7 client. > > Moving forward with resolving my "getting NT_STATUS_LOGON_FAILURE" > issue. > > I went to my (modified for me) script and I had "ENABLEPAMAUTH=0" and > "ENABLEPAMSSH=0". Maybe I should simply restore my member server with > 'pre-script backup' and re-run the script with these two options enabled > (set to 1)? > > Should I enable both or just the "ENABLEAUTH"? > > Or can we (with your help, I hope) correct this issue?As you have a backup, try creating the pam-config script I posted and then run 'pam-auth-update --package', this should get you the same pam setup as my member server. Rowland