samba - Jan 2015 - getting NT_STATUS_LOGON_FAILURE

On 09/01/15 17:26, Bob of Donelson Trophy wrote:
>   
>
> On 2015-01-09 10:23, Rowland Penny wrote:
>
>> On 09/01/15 15:47, Bob of Donelson Trophy wrote:
>>
>> On 2015-01-09 09:27, Rowland Penny wrote:
>>
>> On 09/01/15 15:00, Bob of Donelson Trophy wrote:
>> On 2015-01-09 08:44, Rowland Penny wrote: W7 client "Preferred DNS
server" is set to my DC. My DC looks like this: root at dtdc01:~# cat
/etc/resolv.conf search dtshrm.local domain dtshrm.local nameserver
192.168.16.54 root at dtdc01:~# cat /etc/network/interfaces # This file
describes the network interfaces available on your system # and how to activate
them. For more information, see interfaces(5). # The loopback network interface
auto lo iface lo inet loopback # The primary network interface allow-hotplug
eth0 iface eth0 inet static address 192.168.16.54 netmask 255.255.255.0 network
192.168.16.0 broadcast 192.168.16.255 gateway 192.168.16.106 # dns-* options are
implemented by the resolvconf package, if installed dns-nameservers
208.67.222.222 dns-search dtshrm.local root at dtdc01:~# cat /etc/hosts
127.0.0.1 localhost 192.168.16.54 dtdc01.dtshrm.lan dtdc01 # The following lines
are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes ff
>   02::2
> ip6-allrouters Should the /etc/resolv.conf be resolving to itself? (I
chuckled at you "panic" comment. lol) Fix this first, checking for
'libnss_winbind.so.2' is next on my list for this morning.
>> Firstly, what email client are you using ? it appears to be doing weird
things :-)
>>
>> Don't bother about libnss_winbind.so.2, you have it, what you
don't have is the pam config file that automatically sets pam.
>>
>> This is my /etc/resolv.conf from my DC:
>>
>> nameserver 127.0.0.1
>> search example.lan
>>
>> It needs to point to itself and you do not need the domain line. domain
& search are mutually exclusive and the last one wins.
>>
>> This is my /etc/network/interfaces
>>
>> # This file describes the network interfaces available on your system
>> # and how to activate them. For more information, see interfaces(5).
>>
>> # The loopback network interface
>> auto lo
>> iface lo inet loopback
>>
>> auto eth0
>> iface eth0 inet static
>> address 192.168.0.2
>> netmask 255.255.255.0
>> network 192.168.0.0
>> broadcast 192.168.0.255
>> gateway 192.168.0.1
>>
>> I also turn off NetworkManager and stop it from starting at boot.
>>
>> When you installed your member server via Louis's script, did you
alter this line:
>>
>> ENABLEPAMAUTH=0
>>
>> Rowland
> Email client - Louis' email came back looking weird. Don't know
about
> that.
>
> How do I "turn off NetworkManager" in Debian? (I didn't think
it was on
> a server non-gui install?)
>   Ah, didn't know that, you do not have it running.
>
>> And I have not altered any PAM lines so I have not changes
ENABLEPAMAUTH=0 however, where is it so I can go check it?
>   It is in Louis's script, line 100 and if you change it to 1 it runs a
> block of code starting at line 349, this modifies /etc/pam.d/samba.
>   This is not what happens if you install libnss-winbind &
libpam-winbind
> with the debian samba4 packages, unfortunately you cannot install these
> with the sernet packages, but most of the contents of those two packages
> are in sernet-samba-libs, except for the pam config file:
>
>   /usr/share/pam-configs/winbind
>
>   Name: Winbind NT/Active Directory authentication
>   Default: yes
>   Priority: 192
>   Auth-Type: Primary
>   Auth:
>   [success=end default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
>   Auth-Initial:
>   [success=end default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login
>   Account-Type: Primary
>   Account:
>   [success=end new_authtok_reqd=done default=ignore] pam_winbind.so
>   Password-Type: Primary
>   Password:
>   [success=end default=ignore] pam_winbind.so use_authtok try_first_pass
>   Password-Initial:
>   [success=end default=ignore] pam_winbind.so
>   Session-Type: Additional
>   Session:
>   optional pam_winbind.so
>
>   You may have to run 'pam-auth-update' and select winbind.
>
>   Rowland
>
>> -- 
>>
>> -------------------------
>>
>> Bob Wooden of Donelson Trophy
>>
>> 615.885.2846 (main)
>> www.donelsontrophy.com [1]
>>
>> "Everyone deserves an award!!"
> Okay, I have resolved my (stupid Windows) "No internet access"
issue on
> my lone W7 client.
>
> Moving forward with resolving my "getting
NT_STATUS_LOGON_FAILURE"
> issue.
>
> I went to my (modified for me) script and I had "ENABLEPAMAUTH=0"
and
> "ENABLEPAMSSH=0". Maybe I should simply restore my member server
with
> 'pre-script backup' and re-run the script with these two options
enabled
> (set to 1)?
>
> Should I enable both or just the "ENABLEAUTH"?
>
> Or can we (with your help, I hope) correct this issue?
As you have a backup, try creating the pam-config script I posted and 
then run 'pam-auth-update --package', this should get you the same pam 
setup as my member server.

Rowland

On 2015-01-09 11:40, Rowland Penny wrote: 
> On 09/01/15 17:26, Bob of Donelson Trophy wrote:
> On 2015-01-09 10:23, Rowland Penny wrote: On 09/01/15 15:47, Bob of
Donelson Trophy wrote: On 2015-01-09 09:27, Rowland Penny wrote: On 09/01/15
15:00, Bob of Donelson Trophy wrote: On 2015-01-09 08:44, Rowland Penny wrote:
W7 client "Preferred DNS server" is set to my DC. My DC looks like
this: root at dtdc01:~# cat /etc/resolv.conf search dtshrm.local domain
dtshrm.local nameserver 192.168.16.54 root at dtdc01:~# cat
/etc/network/interfaces # This file describes the network interfaces available
on your system # and how to activate them. For more information, see
interfaces(5). # The loopback network interface auto lo iface lo inet loopback #
The primary network interface allow-hotplug eth0 iface eth0 inet static address
192.168.16.54 netmask 255.255.255.0 network 192.168.16.0 broadcast
192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the
resolvconf package, if installed dns-nameservers 208.67.222.222 dns-search
dtshrm.local root at dtdc01:~# cat /etc/hosts
127.0.0.1 localhost 192.168.16.54 dtdc01.dtshrm.lan dtdc01 # The following lines
are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes f

f
> 02::2 ip6-allrouters Should the /etc/resolv.conf be resolving to itself? (I
chuckled at you "panic" comment. lol) Fix this first, checking for
'libnss_winbind.so.2' is next on my list for this morning.
> 
>> Firstly, what email client are you using ? it appears to be doing weird
things :-) Don't bother about libnss_winbind.so.2, you have it, what you
don't have is the pam config file that automatically sets pam. This is my
/etc/resolv.conf from my DC: nameserver 127.0.0.1 search example.lan It needs to
point to itself and you do not need the domain line. domain & search are
mutually exclusive and the last one wins. This is my /etc/network/interfaces #
This file describes the network interfaces available on your system # and how to
activate them. For more information, see interfaces(5). # The loopback network
interface auto lo iface lo inet loopback auto eth0 iface eth0 inet static
address 192.168.0.2 netmask 255.255.255.0 network 192.168.0.0 broadcast
192.168.0.255 gateway 192.168.0.1 I also turn off NetworkManager and stop it
from starting at boot. When you installed your member server via Louis's
script, did you alter this line: ENABLEPAMAUTH=0 Rowland
> Email client - Louis' email came back looking weird. Don't know
about that. How do I "turn off NetworkManager" in Debian? (I
didn't think it was on a server non-gui install?) Ah, didn't know that,
you do not have it running.
> 
>> And I have not altered any PAM lines so I have not changes
ENABLEPAMAUTH=0 however, where is it so I can go check it?
> It is in Louis's script, line 100 and if you change it to 1 it runs a
block of code starting at line 349, this modifies /etc/pam.d/samba. This is not
what happens if you install libnss-winbind & libpam-winbind with the debian
samba4 packages, unfortunately you cannot install these with the sernet
packages, but most of the contents of those two packages are in
sernet-samba-libs, except for the pam config file:
/usr/share/pam-configs/winbind Name: Winbind NT/Active Directory authentication
Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore]
pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end
new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary
Password: [success=end default=ignore] pam_winbind.so use_authtok try_first_pass
Password-Initial: [success=end
default=ignore] pam_winbind.so Session-Type: Additional Session: optional
pam_winbind.so You may have to run 'pam-auth-update' and select winbind.
Rowland 
> 
>> -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846
(main) www.donelsontrophy.com [1] [1] "Everyone deserves an award!!"
> Okay, I have resolved my (stupid Windows) "No internet access"
issue on my lone W7 client. Moving forward with resolving my "getting
NT_STATUS_LOGON_FAILURE" issue. I went to my (modified for me) script and I
had "ENABLEPAMAUTH=0" and "ENABLEPAMSSH=0". Maybe I should
simply restore my member server with 'pre-script backup' and re-run the
script with these two options enabled (set to 1)? Should I enable both or just
the "ENABLEAUTH"? Or can we (with your help, I hope) correct this
issue?
As you have a backup, try creating the pam-config script I posted and
then run 'pam-auth-update --package', this should get you the same pam
setup as my member server.

Rowland

Maybe I about to do this incorrectly. I create to config file (you sent
me) with 'vi /usr/share/pam-configs/winbind' and then started to run
"pam-auth-update". Now do I update all three all services listed
(Kerberos, Unix and Winbind) or just winbind only? 
-- 

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"
 

Links:
------
[1] http://www.donelsontrophy.com

On 09/01/15 18:31, Bob of Donelson Trophy wrote:
>   
>
> On 2015-01-09 11:40, Rowland Penny wrote:
>
>> On 09/01/15 17:26, Bob of Donelson Trophy wrote:
>> On 2015-01-09 10:23, Rowland Penny wrote: On 09/01/15 15:47, Bob of
Donelson Trophy wrote: On 2015-01-09 09:27, Rowland Penny wrote: On 09/01/15
15:00, Bob of Donelson Trophy wrote: On 2015-01-09 08:44, Rowland Penny wrote:
W7 client "Preferred DNS server" is set to my DC. My DC looks like
this: root at dtdc01:~# cat /etc/resolv.conf search dtshrm.local domain
dtshrm.local nameserver 192.168.16.54 root at dtdc01:~# cat
/etc/network/interfaces # This file describes the network interfaces available
on your system # and how to activate them. For more information, see
interfaces(5). # The loopback network interface auto lo iface lo inet loopback #
The primary network interface allow-hotplug eth0 iface eth0 inet static address
192.168.16.54 netmask 255.255.255.0 network 192.168.16.0 broadcast
192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the
resolvconf package, if installed dns-nameservers 208.67.222.222 dns-search
dtshrm.local root at dtdc01:~# cat /etc/hosts
> 127.0.0.1 localhost 192.168.16.54 dtdc01.dtshrm.lan dtdc01 # The following
lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost
ip6-loopback ff02::1 ip6-allnodes f
>
> f
>
>> 02::2 ip6-allrouters Should the /etc/resolv.conf be resolving to
itself? (I chuckled at you "panic" comment. lol) Fix this first,
checking for 'libnss_winbind.so.2' is next on my list for this morning.
>>
>>> Firstly, what email client are you using ? it appears to be doing
weird things :-) Don't bother about libnss_winbind.so.2, you have it, what
you don't have is the pam config file that automatically sets pam. This is
my /etc/resolv.conf from my DC: nameserver 127.0.0.1 search example.lan It needs
to point to itself and you do not need the domain line. domain & search are
mutually exclusive and the last one wins. This is my /etc/network/interfaces #
This file describes the network interfaces available on your system # and how to
activate them. For more information, see interfaces(5). # The loopback network
interface auto lo iface lo inet loopback auto eth0 iface eth0 inet static
address 192.168.0.2 netmask 255.255.255.0 network 192.168.0.0 broadcast
192.168.0.255 gateway 192.168.0.1 I also turn off NetworkManager and stop it
from starting at boot. When you installed your member server via Louis's
script, did you alter this line: ENABLEPAMAUTH=0 Rowland
>> Email client - Louis' email came back looking weird. Don't know
about that. How do I "turn off NetworkManager" in Debian? (I
didn't think it was on a server non-gui install?) Ah, didn't know that,
you do not have it running.
>>
>>> And I have not altered any PAM lines so I have not changes
ENABLEPAMAUTH=0 however, where is it so I can go check it?
>> It is in Louis's script, line 100 and if you change it to 1 it runs
a block of code starting at line 349, this modifies /etc/pam.d/samba. This is
not what happens if you install libnss-winbind & libpam-winbind with the
debian samba4 packages, unfortunately you cannot install these with the sernet
packages, but most of the contents of those two packages are in
sernet-samba-libs, except for the pam config file:
/usr/share/pam-configs/winbind Name: Winbind NT/Active Directory authentication
Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore]
pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end
new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary
Password: [success=end default=ignore] pam_winbind.so use_authtok try_first_pass
Password-Initial: [success=end
> default=ignore] pam_winbind.so Session-Type: Additional Session: optional
pam_winbind.so You may have to run 'pam-auth-update' and select winbind.
Rowland
>>> -- ------------------------- Bob Wooden of Donelson Trophy
615.885.2846 (main) www.donelsontrophy.com [1] [1] "Everyone deserves an
award!!"
>> Okay, I have resolved my (stupid Windows) "No internet
access" issue on my lone W7 client. Moving forward with resolving my
"getting NT_STATUS_LOGON_FAILURE" issue. I went to my (modified for
me) script and I had "ENABLEPAMAUTH=0" and "ENABLEPAMSSH=0".
Maybe I should simply restore my member server with 'pre-script backup'
and re-run the script with these two options enabled (set to 1)? Should I enable
both or just the "ENABLEAUTH"? Or can we (with your help, I hope)
correct this issue?
> As you have a backup, try creating the pam-config script I posted and
> then run 'pam-auth-update --package', this should get you the same
pam
> setup as my member server.
>
> Rowland
>
> Maybe I about to do this incorrectly. I create to config file (you sent
> me) with 'vi /usr/share/pam-configs/winbind' and then started to
run
> "pam-auth-update". Now do I update all three all services listed
> (Kerberos, Unix and Winbind) or just winbind only?
All three

Rowland