AD DC default shares are okay after provisioning -
smbclient -L localhost -U%:
Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba
4.1.17-SerNet-RedHat-11.el7)
Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
Server Comment
--------- -------
Workgroup Master
--------- -------
Cannot authenticate the administrator account -
smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password:
session setup failed: NT_STATUS_LOGON_FAILURE
- - - - - - - - - - - - - - - - - -
I turned up the log level to 3 and found the following:
[2015/04/22 06:17:54.074716, 0]
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: RuntimeError: kinit for A10$@MWLLC.INFO failed
(Cannot contact any KDC for requested realm)
A10 is the server hostname, CONPAGO is the domain, and MWLLC.INFO is the
realm.
-----------------------------------------
ps axf | egrep "samba|smbd|nmbd|winbindd"
886 pts/5 S+ 0:00 \_ grep -E --color=auto
samba|smbd|nmbd|winbindd
32620 ? Ss 0:00 samba
32621 ? S 0:00 \_ samba
32623 ? Ss 0:00 | \_ /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
32637 ? S 0:00 | \_ /usr/sbin/smbd -D --option=server
role check:inhibit=yes --foreground
32622 ? S 0:00 \_ samba
32624 ? S 0:00 \_ samba
32625 ? S 0:00 \_ samba
32626 ? S 0:00 \_ samba
32627 ? S 0:00 \_ samba
32628 ? S 0:00 \_ samba
32629 ? S 0:00 \_ samba
32630 ? S 0:00 \_ samba
32631 ? S 0:00 \_ samba
32632 ? S 0:00 \_ samba
32633 ? S 0:00 \_ samba
32634 ? S 0:00 \_ samba
The above looks the same as the troubleshooting page.
------------------------------------------------------------------------
Cannot figure out why kerberos authentication fails.
Also notice nmbd and winbindd logs that say, "server role = 'active
directory domain controller' not compatible with running the
<<nmbd>> and
<<winbindd>> binary.
You should start 'samba' instead, and it will control starting the
internal AD DC <<nmbd>> and <<winbindd>> implementation,
which is not the
same as this one."
However, I did execute using "samba".
samba-tool testparm -v ---
# Global parameters
[global]
dos charset = CP850
unix charset = UTF8
workgroup = CONPAGO
realm = MWLLC.INFO
netbios name = A10
netbios aliases netbios scope server string = Samba
4.1.17-SerNet-RedHat-11.el7
interfaces = lo, eno1
bind interfaces only = Yes
config backend = file
server role = active directory domain controller
security = AUTO
auth methods encrypt passwords = Yes
client schannel = No
server schannel = No
allow trusted domains = No
map to guest = Never
null passwords = No
obey pam restrictions = No
password server = *
smb passwd file private dir = /var/lib/samba/private
passdb backend algorithmic rid base = 0
root directory guest account enable privileges = No
pam password change = No
passwd program passwd chat = *new*password* %n\n *new*password*
%n\n *changed*
passwd chat debug = No
passwd chat timeout = 0
check password script username map username level = 0
unix password sync = No
restrict anonymous = 0
lanman auth = No
ntlm auth = Yes
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
client use spnego principal = No
preload modules dedicated keytab file kerberos method =
default
map untrusted to domain = No
log level = 3
syslog = 1
syslog only = No
log file max log size = 0
debug timestamp = Yes
debug prefix timestamp = No
debug hires timestamp = Yes
debug pid = No
debug uid = No
debug class = No
enable core files = No
smb ports = 445, 139
large readwrite = Yes
server max protocol = NT1
server min protocol = CORE
client max protocol = NT1
client min protocol = CORE
unicode = Yes
min receivefile size = 0
read raw = Yes
write raw = Yes
disable netbios = No
reset on zero vc = No
log writeable files on exit = No
defer sharing violations = No
nt pipe support = No
nt status support = Yes
max mux = 50
max xmit = 12288
name resolve order = wins, host, bcast
max ttl = 0
max wins ttl = 518400
min wins ttl = 10
time server = No
unix extensions = No
use spnego = Yes
client signing = default
server signing = default
client use spnego = No
client ldap sasl wrapping = plain
enable asu support = No
svcctl list cldap port = 389
dgram port = 138
nbt port = 137
krb5 port = 88
kpasswd port = 464
web port = 901
rpc big endian = No
deadtime = 0
getwd cache = No
keepalive = 0
lpq cache time = 0
max smbd processes = 0
max disk size = 0
max open files = 0
socket options = TCP_NODELAY
use mmap = Yes
use ntdb = No
hostname lookups = No
name cache timeout = 0
ctdbd socket cluster addresses clustering = No
ctdb timeout = 0
ctdb locktime warn threshold = 0
smb2 max read = 0
smb2 max write = 0
smb2 max trans = 0
smb2 max credits = 0
load printers = No
printcap cache time = 0
printcap name cups server cups encrypt = No
cups connection timeout = 0
iprint server disable spoolss = No
addport command enumports command addprinter command
deleteprinter command show add printer wizard = No
os2 driver map mangling method mangle prefix = 0
max stat cache size = 0
stat cache = No
machine password timeout = 0
add user script rename user script delete user script
add group script delete group script add user to group script
delete user from group script set primary group script add
machine script shutdown script abort shutdown script
username map script username map cache time = 0
logon script logon path logon drive logon home
domain logons = No
init logon delayed hosts init logon delay = 0
os level = 0
lm announce = No
lm interval = 0
preferred master = Auto
local master = Yes
domain master = Auto
browse list = No
enhanced browsing = No
dns proxy = Yes
wins proxy = No
wins server wins support = No
wins hook lock spin time = 0
oplock break wait time = 0
ldap admin dn ldap delete dn = No
ldap group suffix ldap idmap suffix ldap machine suffix
ldap passwd sync = yes
ldap replication sleep = 0
ldap suffix ldap ssl = no
ldap ssl ads = No
ldap deref = never
ldap follow referral = No
ldap timeout = 0
ldap connection timeout = 0
ldap page size = 0
ldap user suffix ldap debug level = 0
ldap debug threshold = 0
eventlog list add share command change share command
delete share command config file preload lock directory
= /var/cache/samba
state directory = /var/lib/samba
cache directory = /var/cache/samba
pid directory = /var/run/samba
ntp signd socket directory = /var/lib/samba/ntp_signd
utmp directory wtmp directory utmp = No
default service message command get quota command
set quota command remote announce remote browse sync nbt
client socket address nmbd bind explicit broadcast = No
homedir map afs username map afs token lifetime = 0
log nt token command NIS homedir = No
registry shares = No
usershare allow guests = No
usershare max shares = 0
usershare owner only = No
usershare path usershare prefix allow list usershare
prefix deny list usershare template share allow insecure wide
links = No
async smb echo handler = No
panic action perfcount module host msdfs = Yes
passdb expand explicit = No
idmap backend idmap cache time = 0
idmap negative cache time = 0
idmap uid idmap gid template homedir =
/home/%WORKGROUP%/%ACCOUNTNAME%
template shell = /bin/false
winbind separator = \
winbind cache time = 0
winbind reconnect delay = 0
winbind request timeout = 0
winbind max clients = 0
winbind enum users = No
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = No
winbind expand groups = 0
winbind nss info winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
create krb5 conf = No
ncalrpc dir = /var/run/samba/ncalrpc
winbind max domain connections = 0
winbindd socket directory = /var/run/samba/winbindd
winbindd privileged socket directory /var/lib/samba/winbindd_privileged
winbind sealed pipes = Yes
allow dns updates = secure only
dns forwarder = 75.75.76.76
dns update command = /usr/sbin/samba_dnsupdate
nsupdate command = /usr/bin/nsupdate -g
rndc command = /usr/sbin/rndc
multicast dns register = No
samba kcc command = /usr/sbin/samba_kcc
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver
spn update command = /usr/sbin/samba_spnupdate
share backend = classic
tls enabled = Yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls crlfile tls dh params file idmap_ldb:use rfc2307 =
yes
prefork children:smb = 4
registry:hkey_users = hku.ldb
registry:hkey_local_machine = hklm.ldb
[netlogon]
path = /var/lib/samba/sysvol/mwllc.info/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
(END)
L.P.H. van Belle
2015-Apr-22 11:27 UTC
[Samba] Cannot authenticate the administrator account
can you try the following..
and post the result back.
and /etc/resolv.conf
and /etc/krb5.conf
copy past it, but set the admin pass fist.
then whats the output.
SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE"
SETFQDN=`hostname -f`
echo "NT Authentication test"
echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c
'ls'
echo "Kerberos Authentication"
echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator
smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k
kdestroy
>-----Oorspronkelijk bericht-----
>Van: 1100100 at gmail.com [mailto:samba-bounces at lists.samba.org]
>Namens Mike
>Verzonden: woensdag 22 april 2015 13:14
>Aan: samba
>Onderwerp: [Samba] Cannot authenticate the administrator account
>
>AD DC default shares are okay after provisioning -
>smbclient -L localhost -U%:
>
>Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
>
> Sharename Type Comment
> --------- ---- -------
> netlogon Disk
> sysvol Disk
> IPC$ IPC IPC Service (Samba
>4.1.17-SerNet-RedHat-11.el7)
>Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
>
> Server Comment
> --------- -------
>
> Workgroup Master
> --------- -------
>
>Cannot authenticate the administrator account -
>smbclient //localhost/netlogon -UAdministrator -c 'ls'
>Enter Administrator's password:
>session setup failed: NT_STATUS_LOGON_FAILURE
>
>- - - - - - - - - - - - - - - - - -
>I turned up the log level to 3 and found the following:
>
>[2015/04/22 06:17:54.074716, 0]
>../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: RuntimeError: kinit for
>A10$@MWLLC.INFO failed
>(Cannot contact any KDC for requested realm)
>
>A10 is the server hostname, CONPAGO is the domain, and
>MWLLC.INFO is the
>realm.
>
>-----------------------------------------
> ps axf | egrep "samba|smbd|nmbd|winbindd"
> 886 pts/5 S+ 0:00 \_ grep -E --color=auto
>samba|smbd|nmbd|winbindd
>32620 ? Ss 0:00 samba
>32621 ? S 0:00 \_ samba
>32623 ? Ss 0:00 | \_ /usr/sbin/smbd -D
>--option=server role
>check:inhibit=yes --foreground
>32637 ? S 0:00 | \_ /usr/sbin/smbd -D
>--option=server
>role check:inhibit=yes --foreground
>32622 ? S 0:00 \_ samba
>32624 ? S 0:00 \_ samba
>32625 ? S 0:00 \_ samba
>32626 ? S 0:00 \_ samba
>32627 ? S 0:00 \_ samba
>32628 ? S 0:00 \_ samba
>32629 ? S 0:00 \_ samba
>32630 ? S 0:00 \_ samba
>32631 ? S 0:00 \_ samba
>32632 ? S 0:00 \_ samba
>32633 ? S 0:00 \_ samba
>32634 ? S 0:00 \_ samba
>
>The above looks the same as the troubleshooting page.
>---------------------------------------------------------------
>---------
>
>Cannot figure out why kerberos authentication fails.
>
>Also notice nmbd and winbindd logs that say, "server role = 'active
>directory domain controller' not compatible with running the
><<nmbd>> and
><<winbindd>> binary.
> You should start 'samba' instead, and it will control starting the
>internal AD DC <<nmbd>> and <<winbindd>>
implementation, which
>is not the
>same as this one."
>
>However, I did execute using "samba".
>
>samba-tool testparm -v ---
>
># Global parameters
>[global]
> dos charset = CP850
> unix charset = UTF8
> workgroup = CONPAGO
> realm = MWLLC.INFO
> netbios name = A10
> netbios aliases > netbios scope > server string
= Samba 4.1.17-SerNet-RedHat-11.el7
> interfaces = lo, eno1
> bind interfaces only = Yes
> config backend = file
> server role = active directory domain controller
> security = AUTO
> auth methods > encrypt passwords = Yes
> client schannel = No
> server schannel = No
> allow trusted domains = No
> map to guest = Never
> null passwords = No
> obey pam restrictions = No
> password server = *
> smb passwd file > private dir = /var/lib/samba/private
> passdb backend > algorithmic rid base = 0
> root directory > guest account > enable
privileges = No
> pam password change = No
> passwd program > passwd chat = *new*password* %n\n
*new*password* %n\n *changed*
> passwd chat debug = No
> passwd chat timeout = 0
> check password script > username map > username
level = 0
> unix password sync = No
> restrict anonymous = 0
> lanman auth = No
> ntlm auth = Yes
> client NTLMv2 auth = Yes
> client lanman auth = No
> client plaintext auth = No
> client use spnego principal = No
> preload modules > dedicated keytab file >
kerberos method = default
> map untrusted to domain = No
> log level = 3
> syslog = 1
> syslog only = No
> log file > max log size = 0
> debug timestamp = Yes
> debug prefix timestamp = No
> debug hires timestamp = Yes
> debug pid = No
> debug uid = No
> debug class = No
> enable core files = No
> smb ports = 445, 139
> large readwrite = Yes
> server max protocol = NT1
> server min protocol = CORE
> client max protocol = NT1
> client min protocol = CORE
> unicode = Yes
> min receivefile size = 0
> read raw = Yes
> write raw = Yes
> disable netbios = No
> reset on zero vc = No
> log writeable files on exit = No
> defer sharing violations = No
> nt pipe support = No
> nt status support = Yes
> max mux = 50
> max xmit = 12288
> name resolve order = wins, host, bcast
> max ttl = 0
> max wins ttl = 518400
> min wins ttl = 10
> time server = No
> unix extensions = No
> use spnego = Yes
> client signing = default
> server signing = default
> client use spnego = No
> client ldap sasl wrapping = plain
> enable asu support = No
> svcctl list > cldap port = 389
> dgram port = 138
> nbt port = 137
> krb5 port = 88
> kpasswd port = 464
> web port = 901
> rpc big endian = No
> deadtime = 0
> getwd cache = No
> keepalive = 0
> lpq cache time = 0
> max smbd processes = 0
> max disk size = 0
> max open files = 0
> socket options = TCP_NODELAY
> use mmap = Yes
> use ntdb = No
> hostname lookups = No
> name cache timeout = 0
> ctdbd socket > cluster addresses > clustering =
No
> ctdb timeout = 0
> ctdb locktime warn threshold = 0
> smb2 max read = 0
> smb2 max write = 0
> smb2 max trans = 0
> smb2 max credits = 0
> load printers = No
> printcap cache time = 0
> printcap name > cups server > cups encrypt = No
> cups connection timeout = 0
> iprint server > disable spoolss = No
> addport command > enumports command > addprinter
command > deleteprinter command > show add printer wizard =
No
> os2 driver map > mangling method > mangle prefix
= 0
> max stat cache size = 0
> stat cache = No
> machine password timeout = 0
> add user script > rename user script > delete
user script > add group script > delete group script >
add user to group script > delete user from group script >
set primary group script > add machine script > shutdown
script > abort shutdown script > username map script >
username map cache time = 0
> logon script > logon path > logon drive >
logon home > domain logons = No
> init logon delayed hosts > init logon delay = 0
> os level = 0
> lm announce = No
> lm interval = 0
> preferred master = Auto
> local master = Yes
> domain master = Auto
> browse list = No
> enhanced browsing = No
> dns proxy = Yes
> wins proxy = No
> wins server > wins support = No
> wins hook > lock spin time = 0
> oplock break wait time = 0
> ldap admin dn > ldap delete dn = No
> ldap group suffix > ldap idmap suffix > ldap
machine suffix > ldap passwd sync = yes
> ldap replication sleep = 0
> ldap suffix > ldap ssl = no
> ldap ssl ads = No
> ldap deref = never
> ldap follow referral = No
> ldap timeout = 0
> ldap connection timeout = 0
> ldap page size = 0
> ldap user suffix > ldap debug level = 0
> ldap debug threshold = 0
> eventlog list > add share command > change share
command > delete share command > config file >
preload > lock directory = /var/cache/samba
> state directory = /var/lib/samba
> cache directory = /var/cache/samba
> pid directory = /var/run/samba
> ntp signd socket directory = /var/lib/samba/ntp_signd
> utmp directory > wtmp directory > utmp = No
> default service > message command > get quota
command > set quota command > remote announce >
remote browse sync > nbt client socket address > nmbd bind
explicit broadcast = No
> homedir map > afs username map > afs token
lifetime = 0
> log nt token command > NIS homedir = No
> registry shares = No
> usershare allow guests = No
> usershare max shares = 0
> usershare owner only = No
> usershare path > usershare prefix allow list >
usershare prefix deny list > usershare template share >
allow insecure wide links = No
> async smb echo handler = No
> panic action > perfcount module > host msdfs =
Yes
> passdb expand explicit = No
> idmap backend > idmap cache time = 0
> idmap negative cache time = 0
> idmap uid > idmap gid > template homedir =
/home/%WORKGROUP%/%ACCOUNTNAME%
> template shell = /bin/false
> winbind separator = \
> winbind cache time = 0
> winbind reconnect delay = 0
> winbind request timeout = 0
> winbind max clients = 0
> winbind enum users = No
> winbind enum groups = No
> winbind use default domain = No
> winbind trusted domains only = No
> winbind nested groups = No
> winbind expand groups = 0
> winbind nss info > winbind refresh tickets = No
> winbind offline logon = No
> winbind normalize names = No
> winbind rpc only = No
> create krb5 conf = No
> ncalrpc dir = /var/run/samba/ncalrpc
> winbind max domain connections = 0
> winbindd socket directory = /var/run/samba/winbindd
> winbindd privileged socket directory
>/var/lib/samba/winbindd_privileged
> winbind sealed pipes = Yes
> allow dns updates = secure only
> dns forwarder = 75.75.76.76
> dns update command = /usr/sbin/samba_dnsupdate
> nsupdate command = /usr/bin/nsupdate -g
> rndc command = /usr/sbin/rndc
> multicast dns register = No
> samba kcc command = /usr/sbin/samba_kcc
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>kdc, drepl,
>winbind, ntp_signd, kcc, dnsupdate, dns
> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo,
>browser, eventlog6,
>backupkey, dnsserver
> spn update command = /usr/sbin/samba_spnupdate
> share backend = classic
> tls enabled = Yes
> tls keyfile = tls/key.pem
> tls certfile = tls/cert.pem
> tls cafile = tls/ca.pem
> tls crlfile > tls dh params file > idmap_ldb:use
rfc2307 = yes
> prefork children:smb = 4
> registry:hkey_users = hku.ldb
> registry:hkey_local_machine = hklm.ldb
>
>[netlogon]
> path = /var/lib/samba/sysvol/mwllc.info/scripts
> read only = No
>
>[sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>(END)
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
Thanks for your help, LPH - - - I am commuting to work right now.......will try it when I can get through a few daily hurdles at the office. :-) On Wed, Apr 22, 2015 at 7:27 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:> can you try the following.. > and post the result back. > and /etc/resolv.conf > and /etc/krb5.conf > > copy past it, but set the admin pass fist. > then whats the output. > > SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE" > SETFQDN=`hostname -f` > > echo "NT Authentication test" > echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U > Administrator -c 'ls' > > echo "Kerberos Authentication" > echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator > smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k > kdestroy > > > > > > >-----Oorspronkelijk bericht----- > >Van: 1100100 at gmail.com [mailto:samba-bounces at lists.samba.org] > >Namens Mike > >Verzonden: woensdag 22 april 2015 13:14 > >Aan: samba > >Onderwerp: [Samba] Cannot authenticate the administrator account > > > >AD DC default shares are okay after provisioning - > >smbclient -L localhost -U%: > > > >Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7] > > > > Sharename Type Comment > > --------- ---- ------- > > netlogon Disk > > sysvol Disk > > IPC$ IPC IPC Service (Samba > >4.1.17-SerNet-RedHat-11.el7) > >Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7] > > > > Server Comment > > --------- ------- > > > > Workgroup Master > > --------- ------- > > > >Cannot authenticate the administrator account - > >smbclient //localhost/netlogon -UAdministrator -c 'ls' > >Enter Administrator's password: > >session setup failed: NT_STATUS_LOGON_FAILURE > > > >- - - - - - - - - - - - - - - - - - > >I turned up the log level to 3 and found the following: > > > >[2015/04/22 06:17:54.074716, 0] > >../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > > /usr/sbin/samba_dnsupdate: RuntimeError: kinit for > >A10$@MWLLC.INFO failed > >(Cannot contact any KDC for requested realm) > > > >A10 is the server hostname, CONPAGO is the domain, and > >MWLLC.INFO is the > >realm. > > > >----------------------------------------- > > ps axf | egrep "samba|smbd|nmbd|winbindd" > > 886 pts/5 S+ 0:00 \_ grep -E --color=auto > >samba|smbd|nmbd|winbindd > >32620 ? Ss 0:00 samba > >32621 ? S 0:00 \_ samba > >32623 ? Ss 0:00 | \_ /usr/sbin/smbd -D > >--option=server role > >check:inhibit=yes --foreground > >32637 ? S 0:00 | \_ /usr/sbin/smbd -D > >--option=server > >role check:inhibit=yes --foreground > >32622 ? S 0:00 \_ samba > >32624 ? S 0:00 \_ samba > >32625 ? S 0:00 \_ samba > >32626 ? S 0:00 \_ samba > >32627 ? S 0:00 \_ samba > >32628 ? S 0:00 \_ samba > >32629 ? S 0:00 \_ samba > >32630 ? S 0:00 \_ samba > >32631 ? S 0:00 \_ samba > >32632 ? S 0:00 \_ samba > >32633 ? S 0:00 \_ samba > >32634 ? S 0:00 \_ samba > > > >The above looks the same as the troubleshooting page. > >--------------------------------------------------------------- > >--------- > > > >Cannot figure out why kerberos authentication fails. > > > >Also notice nmbd and winbindd logs that say, "server role = 'active > >directory domain controller' not compatible with running the > ><<nmbd>> and > ><<winbindd>> binary. > > You should start 'samba' instead, and it will control starting the > >internal AD DC <<nmbd>> and <<winbindd>> implementation, which > >is not the > >same as this one." > > > >However, I did execute using "samba". > > > >samba-tool testparm -v --- > > > ># Global parameters > >[global] > > dos charset = CP850 > > unix charset = UTF8 > > workgroup = CONPAGO > > realm = MWLLC.INFO > > netbios name = A10 > > netbios aliases > > netbios scope > > server string = Samba 4.1.17-SerNet-RedHat-11.el7 > > interfaces = lo, eno1 > > bind interfaces only = Yes > > config backend = file > > server role = active directory domain controller > > security = AUTO > > auth methods > > encrypt passwords = Yes > > client schannel = No > > server schannel = No > > allow trusted domains = No > > map to guest = Never > > null passwords = No > > obey pam restrictions = No > > password server = * > > smb passwd file > > private dir = /var/lib/samba/private > > passdb backend > > algorithmic rid base = 0 > > root directory > > guest account > > enable privileges = No > > pam password change = No > > passwd program > > passwd chat = *new*password* %n\n *new*password* %n\n *changed* > > passwd chat debug = No > > passwd chat timeout = 0 > > check password script > > username map > > username level = 0 > > unix password sync = No > > restrict anonymous = 0 > > lanman auth = No > > ntlm auth = Yes > > client NTLMv2 auth = Yes > > client lanman auth = No > > client plaintext auth = No > > client use spnego principal = No > > preload modules > > dedicated keytab file > > kerberos method = default > > map untrusted to domain = No > > log level = 3 > > syslog = 1 > > syslog only = No > > log file > > max log size = 0 > > debug timestamp = Yes > > debug prefix timestamp = No > > debug hires timestamp = Yes > > debug pid = No > > debug uid = No > > debug class = No > > enable core files = No > > smb ports = 445, 139 > > large readwrite = Yes > > server max protocol = NT1 > > server min protocol = CORE > > client max protocol = NT1 > > client min protocol = CORE > > unicode = Yes > > min receivefile size = 0 > > read raw = Yes > > write raw = Yes > > disable netbios = No > > reset on zero vc = No > > log writeable files on exit = No > > defer sharing violations = No > > nt pipe support = No > > nt status support = Yes > > max mux = 50 > > max xmit = 12288 > > name resolve order = wins, host, bcast > > max ttl = 0 > > max wins ttl = 518400 > > min wins ttl = 10 > > time server = No > > unix extensions = No > > use spnego = Yes > > client signing = default > > server signing = default > > client use spnego = No > > client ldap sasl wrapping = plain > > enable asu support = No > > svcctl list > > cldap port = 389 > > dgram port = 138 > > nbt port = 137 > > krb5 port = 88 > > kpasswd port = 464 > > web port = 901 > > rpc big endian = No > > deadtime = 0 > > getwd cache = No > > keepalive = 0 > > lpq cache time = 0 > > max smbd processes = 0 > > max disk size = 0 > > max open files = 0 > > socket options = TCP_NODELAY > > use mmap = Yes > > use ntdb = No > > hostname lookups = No > > name cache timeout = 0 > > ctdbd socket > > cluster addresses > > clustering = No > > ctdb timeout = 0 > > ctdb locktime warn threshold = 0 > > smb2 max read = 0 > > smb2 max write = 0 > > smb2 max trans = 0 > > smb2 max credits = 0 > > load printers = No > > printcap cache time = 0 > > printcap name > > cups server > > cups encrypt = No > > cups connection timeout = 0 > > iprint server > > disable spoolss = No > > addport command > > enumports command > > addprinter command > > deleteprinter command > > show add printer wizard = No > > os2 driver map > > mangling method > > mangle prefix = 0 > > max stat cache size = 0 > > stat cache = No > > machine password timeout = 0 > > add user script > > rename user script > > delete user script > > add group script > > delete group script > > add user to group script > > delete user from group script > > set primary group script > > add machine script > > shutdown script > > abort shutdown script > > username map script > > username map cache time = 0 > > logon script > > logon path > > logon drive > > logon home > > domain logons = No > > init logon delayed hosts > > init logon delay = 0 > > os level = 0 > > lm announce = No > > lm interval = 0 > > preferred master = Auto > > local master = Yes > > domain master = Auto > > browse list = No > > enhanced browsing = No > > dns proxy = Yes > > wins proxy = No > > wins server > > wins support = No > > wins hook > > lock spin time = 0 > > oplock break wait time = 0 > > ldap admin dn > > ldap delete dn = No > > ldap group suffix > > ldap idmap suffix > > ldap machine suffix > > ldap passwd sync = yes > > ldap replication sleep = 0 > > ldap suffix > > ldap ssl = no > > ldap ssl ads = No > > ldap deref = never > > ldap follow referral = No > > ldap timeout = 0 > > ldap connection timeout = 0 > > ldap page size = 0 > > ldap user suffix > > ldap debug level = 0 > > ldap debug threshold = 0 > > eventlog list > > add share command > > change share command > > delete share command > > config file > > preload > > lock directory = /var/cache/samba > > state directory = /var/lib/samba > > cache directory = /var/cache/samba > > pid directory = /var/run/samba > > ntp signd socket directory = /var/lib/samba/ntp_signd > > utmp directory > > wtmp directory > > utmp = No > > default service > > message command > > get quota command > > set quota command > > remote announce > > remote browse sync > > nbt client socket address > > nmbd bind explicit broadcast = No > > homedir map > > afs username map > > afs token lifetime = 0 > > log nt token command > > NIS homedir = No > > registry shares = No > > usershare allow guests = No > > usershare max shares = 0 > > usershare owner only = No > > usershare path > > usershare prefix allow list > > usershare prefix deny list > > usershare template share > > allow insecure wide links = No > > async smb echo handler = No > > panic action > > perfcount module > > host msdfs = Yes > > passdb expand explicit = No > > idmap backend > > idmap cache time = 0 > > idmap negative cache time = 0 > > idmap uid > > idmap gid > > template homedir = /home/%WORKGROUP%/%ACCOUNTNAME% > > template shell = /bin/false > > winbind separator = \ > > winbind cache time = 0 > > winbind reconnect delay = 0 > > winbind request timeout = 0 > > winbind max clients = 0 > > winbind enum users = No > > winbind enum groups = No > > winbind use default domain = No > > winbind trusted domains only = No > > winbind nested groups = No > > winbind expand groups = 0 > > winbind nss info > > winbind refresh tickets = No > > winbind offline logon = No > > winbind normalize names = No > > winbind rpc only = No > > create krb5 conf = No > > ncalrpc dir = /var/run/samba/ncalrpc > > winbind max domain connections = 0 > > winbindd socket directory = /var/run/samba/winbindd > > winbindd privileged socket directory > >/var/lib/samba/winbindd_privileged > > winbind sealed pipes = Yes > > allow dns updates = secure only > > dns forwarder = 75.75.76.76 > > dns update command = /usr/sbin/samba_dnsupdate > > nsupdate command = /usr/bin/nsupdate -g > > rndc command = /usr/sbin/rndc > > multicast dns register = No > > samba kcc command = /usr/sbin/samba_kcc > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > >kdc, drepl, > >winbind, ntp_signd, kcc, dnsupdate, dns > > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, > >netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, > >browser, eventlog6, > >backupkey, dnsserver > > spn update command = /usr/sbin/samba_spnupdate > > share backend = classic > > tls enabled = Yes > > tls keyfile = tls/key.pem > > tls certfile = tls/cert.pem > > tls cafile = tls/ca.pem > > tls crlfile > > tls dh params file > > idmap_ldb:use rfc2307 = yes > > prefork children:smb = 4 > > registry:hkey_users = hku.ldb > > registry:hkey_local_machine = hklm.ldb > > > >[netlogon] > > path = /var/lib/samba/sysvol/mwllc.info/scripts > > read only = No > > > >[sysvol] > > path = /var/lib/samba/sysvol > > read only = No > >(END) > >-- > >To unsubscribe from this list go to the following URL and read the > >instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Wed, Apr 22, 2015 at 7:27 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:> can you try the following.. > and post the result back. > and /etc/resolv.conf > and /etc/krb5.conf > > copy past it, but set the admin pass fist. > then whats the output. > > SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE" > SETFQDN=`hostname -f` > > echo "NT Authentication test" > echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U > Administrator -c 'ls' > > echo "Kerberos Authentication" > echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator > smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k > kdestroy >[root at a10 ~]# cat /etc/resolv.conf # Generated by NetworkManager search conpago.mwllc.info nameserver 75.75.76.76 nameserver 75.75.75.75 [root at a10 etc]# cat krb5.conf [libdefaults] default_realm = MWLLC.INFO dns_lookup_realm = false dns_lookup_kdc = true [root at a10 etc]# SETFQDN=`hostname -f` [root at a10 etc]# echo "NT Authentication test" NT Authentication test [root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls' Enter Administrator's password: session setup failed: NT_STATUS_LOGON_FAILURE [root at a10 etc]# echo "Kerberos Authentication" Kerberos Authentication [root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator kinit: Cannot find KDC for realm "MWLLC.INFO" while getting initial credentials [root at a10 etc]# smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: No such file or directory session setup failed: NT_STATUS_UNSUCCESSFUL [root at a10 etc]# kdestroy
L.P.H. van Belle
2015-Apr-22 14:04 UTC
[Samba] Cannot authenticate the administrator account
Are you sure you have the "correct" administrator password ..
?
this should work ,? echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon
-U Administrator -c 'ls'
that does not involve kerberos yet..
?
Please run:
?
SETHOSTNAME=`hostname -s`
SETDNSDOMAIN=`hostname -d`
SETFQDN=`hostname -f`
host -t SRV _ldap._tcp.${SETDNSDOMAIN}.
host -t SRV _kerberos._udp.${SETDNSDOMAIN}.
??
host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}.?
and
cat /etc/hosts
?
and these are your DC's ips?
?
nameserver 75.75.76.76
nameserver 75.75.75.75
?
Greetz,
?
Louis
?
?
Van: Mike [mailto:1100100 at gmail.com]
Verzonden: woensdag 22 april 2015 15:45
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Cannot authenticate the administrator account
On Wed, Apr 22, 2015 at 7:27 AM, L.P.H. van Belle <belle at bazuin.nl>
wrote:
can you try the following..
and post the result back.
and /etc/resolv.conf
and /etc/krb5.conf
copy past it, but set the admin pass fist.
then whats the output.
SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE"
SETFQDN=`hostname -f`
echo "NT Authentication test"
echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c
'ls'
echo "Kerberos Authentication"
echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator
smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k
kdestroy
[root at a10 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search conpago.mwllc.info
nameserver 75.75.76.76
nameserver 75.75.75.75
[root at a10 etc]# cat krb5.conf
[libdefaults]
??? default_realm = MWLLC.INFO
??? dns_lookup_realm = false
??? dns_lookup_kdc = true
[root at a10 etc]# SETFQDN=`hostname -f`
[root at a10 etc]# echo "NT Authentication test"
NT Authentication test
[root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon
-U Administrator -c 'ls'
Enter Administrator's password:
session setup failed: NT_STATUS_LOGON_FAILURE
[root at a10 etc]# echo "Kerberos Authentication"
Kerberos Authentication
[root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator
kinit: Cannot find KDC for realm "MWLLC.INFO" while getting initial
credentials
[root at a10 etc]# smbclient //${SETFQDN}/netlogon -U Administrator -c
'ls' -k
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: No such file or
directory
session setup failed: NT_STATUS_UNSUCCESSFUL
[root at a10 etc]# kdestroy