samba - Feb 2015 - NT_STATUS_CONNECTION_REFUSED, again!!!

Thanks Rowland. 

Being the novice that I am, I thought the line would 'pickup' my DOMAIN
and replace the ${SAMBA_NT_DOMAIN}. So, I just tried the line correctly
and it asked for my Administrator password and subsequently granted
access. At least I know I can go and correct manually, if I need too. 

My /etc/resolv.conf is: 

root at dt01:~# cat /etc/resolv.conf 

search dts***m.dt 

nameserver 192.168.16.51 

The nameserver is resolving to "itself", the DC01. (As you know, this
is
created through the script.) 

The "wbinfo -g" says that "Domain Admins" is indeed in the
groups.

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-02-27 11:43, Rowland Penny wrote: 
> On 27/02/15 17:28, Bob of Donelson Trophy wrote:
> 
>> I thought I was over this the other day when I got it to work properly
on my VM. Now, on an actual PC I am getting: ==========Test kerberos
=============================== Lets test some things Testing : kerberos
Password for Administrator at DTSHRM.DT: Warning: Your password will expire in
41 days on Fri Apr 10 08:43:58 2015 Ticket cache: FILE:/tmp/krb5cc_0 Default
principal: Administrator at DTSHRM.DT Valid starting Expires Service principal
27/02/2015 07:45 27/02/2015 17:45 krbtgt/DTSHRM.DT at DTSHRM.DT renew until
28/02/2015 07:45, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96 ==========SE Privileges ===============================
Enter Administrator's password: Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_CONNECTION_REFUSED I snipped some
excess<<<<<<<< Enter Administrator's password: Could
not connect to server 127.0.0.1 Connection failed: NT_STATUS_CONNECTION_REFUSED
Enter Administrator's password: Successfully granted rights. Ent
 er
Administrator's password: I snipped some
excess<<<<<<<<<<< Enter Administrator's
password: Successfully granted rights. ==========Test DNS Records
=============================== Testing : dns entries testing of : host -t SRV
_ldap._tcp.dtshrm.dt. : ok testing of : host -t SRV _kerberos._udp.dtshrm.dt. :
ok testing of : host -t A dtdc01.dtshrm.dt. : ok I snipped the
ending<<<<< I have had the chance to try this several times
(thanks to backups) and each time a different number of failures and then
"Successfully granted rights." Generally there are anywhere from 12 to
17 failures across two attempts (that I paid close attention too, out of five
tries.) And, because I have two identical computers (one that will become DC1
and the other DC2) I switched machines, just to make sure it wasn't a
hardware issue. It's not! When I run one of the failed script line manually,
I get: root at dc01:~# echo ${SAMBA_NT_ADMIN_PASS}| net rpc rights grant
"${SAMBA_NT_DOMAIN}Domain Admins"
SeDiskOperatorPrivilege -UAdministrator Enter Administrator's password:
Could not connect to server 127.0.0.1 The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE That might have failed because . . .
. so, I tried this: root at dc01:~# net rpc rights grant
"${SAMBA_NT_DOMAIN}Domain Admins" SeDiskOperatorPrivilege
-UAdministrator Enter Administrator's password: Failed to grant privileges
for Domain Admins (NT_STATUS_NO_SUCH_USER) So, the script is not creating the
"Domain Admins"? Confused, for sure!!!!
> 
> Hi Bob, what have you got in /etc/resolv.conf ?
> 
> I also take it that when you ran the lines manually, you replaced the
variables with the correct info.
> 
> The script doesn't create Domain Admins, this is done by the provision,
run 'wbinfo -g' this should print all your domain groups.
> 
> Rowland
 

Links:
------
[1] http://www.donelsontrophy.com

On 27/02/15 18:00, Bob of Donelson Trophy wrote:
>   
>
> Thanks Rowland.
>
> Being the novice that I am, I thought the line would 'pickup' my
DOMAIN
> and replace the ${SAMBA_NT_DOMAIN}. So, I just tried the line correctly
> and it asked for my Administrator password and subsequently granted
> access. At least I know I can go and correct manually, if I need too.
>
> My /etc/resolv.conf is:
>
> root at dt01:~# cat /etc/resolv.conf
>
> search dts***m.dt
>
> nameserver 192.168.16.51
>
> The nameserver is resolving to "itself", the DC01. (As you know,
this is
> created through the script.)
>
> The "wbinfo -g" says that "Domain Admins" is indeed in
the groups.
>
> ---
>
> -------------------------
>
> Bob Wooden of Donelson Trophy
>
> 615.885.2846 (main)
> www.donelsontrophy.com [1]
>
> "Everyone deserves an award!!"
>
> On 2015-02-27 11:43, Rowland Penny wrote:
>
>> On 27/02/15 17:28, Bob of Donelson Trophy wrote:
>>
>>> I thought I was over this the other day when I got it to work
properly on my VM. Now, on an actual PC I am getting: ==========Test kerberos
=============================== Lets test some things Testing : kerberos
Password for Administrator at DTSHRM.DT: Warning: Your password will expire in
41 days on Fri Apr 10 08:43:58 2015 Ticket cache: FILE:/tmp/krb5cc_0 Default
principal: Administrator at DTSHRM.DT Valid starting Expires Service principal
27/02/2015 07:45 27/02/2015 17:45 krbtgt/DTSHRM.DT at DTSHRM.DT renew until
28/02/2015 07:45, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96 ==========SE Privileges ===============================
Enter Administrator's password: Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_CONNECTION_REFUSED I snipped some
excess<<<<<<<< Enter Administrator's password: Could
not connect to server 127.0.0.1 Connection failed: NT_STATUS_CONNECTION_REFUSED
Enter Administrator's password: Successfully granted rights. Ent
>   er
> Administrator's password: I snipped some
excess<<<<<<<<<<< Enter Administrator's
password: Successfully granted rights. ==========Test DNS Records
=============================== Testing : dns entries testing of : host -t SRV
_ldap._tcp.dtshrm.dt. : ok testing of : host -t SRV _kerberos._udp.dtshrm.dt. :
ok testing of : host -t A dtdc01.dtshrm.dt. : ok I snipped the
ending<<<<< I have had the chance to try this several times
(thanks to backups) and each time a different number of failures and then
"Successfully granted rights." Generally there are anywhere from 12 to
17 failures across two attempts (that I paid close attention too, out of five
tries.) And, because I have two identical computers (one that will become DC1
and the other DC2) I switched machines, just to make sure it wasn't a
hardware issue. It's not! When I run one of the failed script line manually,
I get: root at dc01:~# echo ${SAMBA_NT_ADMIN_PASS}| net rpc rights grant
"${SAMBA_NT_DOMAIN}Domain Admins"
> SeDiskOperatorPrivilege -UAdministrator Enter Administrator's password:
Could not connect to server 127.0.0.1 The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE That might have failed because . . .
. so, I tried this: root at dc01:~# net rpc rights grant
"${SAMBA_NT_DOMAIN}Domain Admins" SeDiskOperatorPrivilege
-UAdministrator Enter Administrator's password: Failed to grant privileges
for Domain Admins (NT_STATUS_NO_SUCH_USER) So, the script is not creating the
"Domain Admins"? Confused, for sure!!!!
>> Hi Bob, what have you got in /etc/resolv.conf ?
>>
>> I also take it that when you ran the lines manually, you replaced the
variables with the correct info.
>>
>> The script doesn't create Domain Admins, this is done by the
provision, run 'wbinfo -g' this should print all your domain groups.
>>
>> Rowland
>   
>
> Links:
> ------
> [1] http://www.donelsontrophy.com
OK, I have had a look at Louis's script and the line that is failing is 
this:

echo ${SETNTPASSWD}| net rpc rights grant ${SETNTDOM}\\"Domain Admins"
SeDiskOperatorPrivilege -UAdministrator

                                                  I 'think' the problem 
is here    ^

If you want to escape a character in bash you use the '\' character and 
I 'think' what is happening is that, instead of escaping the other
'\'
it is actually escaping the double quotes character

Try replacing that line with this:

echo ${SETNTPASSWD}| net rpc rights grant ${SETNTDOM}\\Domain\ Admins 
SeDiskOperatorPrivilege -UAdministrator

Rowland

Thanks Rowland but that idea did not work. 

I will simply grant access to those that failed manually. 

(Really wish I had kept the VM that the scripthad worked on so I could
go back and see what happened but, too late, I have already deleted to
save precious hard drive space.) 

If I have any issues, I'll be back. 

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-02-27 12:22, Rowland Penny wrote: 
> On 27/02/15 18:00, Bob of Donelson Trophy wrote:
> Thanks Rowland. Being the novice that I am, I thought the line would
'pickup' my DOMAIN and replace the ${SAMBA_NT_DOMAIN}. So, I just tried
the line correctly and it asked for my Administrator password and subsequently
granted access. At least I know I can go and correct manually, if I need too. My
/etc/resolv.conf is: root at dt01:~# cat /etc/resolv.conf search dts***m.dt
nameserver 192.168.16.51 The nameserver is resolving to "itself", the
DC01. (As you know, this is created through the script.) The "wbinfo
-g" says that "Domain Admins" is indeed in the groups. ---
------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main)
www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On
2015-02-27 11:43, Rowland Penny wrote: On 27/02/15 17:28, Bob of Donelson Trophy
wrote: I thought I was over this the other day when I got it to work properly on
my VM. Now, on an actual PC I am getting: ==========Test kerberos
=============================== Lets test s
 ome
things Testing : kerberos Password for Administrator at DTSHRM.DT: Warning: Your
password will expire in 41 days on Fri Apr 10 08:43:58 2015 Ticket cache:
FILE:/tmp/krb5cc_0 Default principal: Administrator at DTSHRM.DT Valid starting
Expires Service principal 27/02/2015 07:45 27/02/2015 17:45 krbtgt/DTSHRM.DT at
DTSHRM.DT renew until 28/02/2015 07:45, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 ==========SE Privileges
=============================== Enter Administrator's password: Could not
connect to server 127.0.0.1 Connection failed: NT_STATUS_CONNECTION_REFUSED I
snipped some excess<<<<<<<< Enter Administrator's
password: Could not connect to server 127.0.0.1 Connection failed:
NT_STATUS_CONNECTION_REFUSED Enter Administrator's password: Successfully
granted rights. En

t
> er Administrator's password: I snipped some
excess<<<<<<<<<<< Enter Administrator's
password: Successfully granted rights. ==========Test DNS Records
=============================== Testing : dns entries testing of : host -t SRV
_ldap._tcp.dtshrm.dt. : ok testing of : host -t SRV _kerberos._udp.dtshrm.dt. :
ok testing of : host -t A dtdc01.dtshrm.dt. : ok I snipped the
ending<<<<< I have had the chance to try this several times
(thanks to backups) and each time a different number of failures and then
"Successfully granted rights." Generally there are anywhere from 12 to
17 failures across two attempts (that I paid close attention too, out of five
tries.) And, because I have two identical computers (one that will become DC1
and the other DC2) I switched machines, just to make sure it wasn't a
hardware issue. It's not! When I run one of the failed script line manually,
I get: root at dc01:~# echo ${SAMBA_NT_ADMIN_PASS}| net rpc rights grant
"${SAMBA_NT_DOMAIN}Domain Admins"
SeDiskOperatorPrivilege -UAdministrator Enter Administrator's password:
Could not connect to server 127.0.0.1 The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE That might have failed because . . .
. so, I tried this: root at dc01:~# net rpc rights grant
"${SAMBA_NT_DOMAIN}Domain Admins" SeDiskOperatorPrivilege
-UAdministrator Enter Administrator's password: Failed to grant privileges
for Domain Admins (NT_STATUS_NO_SUCH_USER) So, the script is not creating the
"Domain Admins"? Confused, for sure!!!! 
> 
>> Hi Bob, what have you got in /etc/resolv.conf ? I also take it that
when you ran the lines manually, you replaced the variables with the correct
info. The script doesn't create Domain Admins, this is done by the
provision, run 'wbinfo -g' this should print all your domain groups.
Rowland
> Links: ------ [1] http://www.donelsontrophy.com [1]
OK, I have had a look at Louis's script and the line that is failing is
this:

echo ${SETNTPASSWD}| net rpc rights grant ${SETNTDOM}\"Domain Admins"
SeDiskOperatorPrivilege -UAdministrator

 I 'think' the problem is here ^

If you want to escape a character in bash you use the '' character and I
'think' what is happening is that, instead of escaping the other
'' it
is actually escaping the double quotes character

Try replacing that line with this:

echo ${SETNTPASSWD}| net rpc rights grant ${SETNTDOM}\Domain Admins
SeDiskOperatorPrivilege -UAdministrator

Rowland

 

Links:
------
[1] http://www.donelsontrophy.com