L.P.H. van Belle
2015-Apr-22 14:04 UTC
[Samba] Cannot authenticate the administrator account
Are you sure you have the "correct" administrator password .. ? this should work ,? echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls' that does not involve kerberos yet.. ? Please run: ? SETHOSTNAME=`hostname -s` SETDNSDOMAIN=`hostname -d` SETFQDN=`hostname -f` host -t SRV _ldap._tcp.${SETDNSDOMAIN}. host -t SRV _kerberos._udp.${SETDNSDOMAIN}. ?? host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}.? and cat /etc/hosts ? and these are your DC's ips? ? nameserver 75.75.76.76 nameserver 75.75.75.75 ? Greetz, ? Louis ? ? Van: Mike [mailto:1100100 at gmail.com] Verzonden: woensdag 22 april 2015 15:45 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Cannot authenticate the administrator account On Wed, Apr 22, 2015 at 7:27 AM, L.P.H. van Belle <belle at bazuin.nl> wrote: can you try the following.. and post the result back. and /etc/resolv.conf and /etc/krb5.conf copy past it, but set the admin pass fist. then whats the output. SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE" SETFQDN=`hostname -f` echo "NT Authentication test" echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls' echo "Kerberos Authentication" echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k kdestroy [root at a10 ~]# cat /etc/resolv.conf # Generated by NetworkManager search conpago.mwllc.info nameserver 75.75.76.76 nameserver 75.75.75.75 [root at a10 etc]# cat krb5.conf [libdefaults] ??? default_realm = MWLLC.INFO ??? dns_lookup_realm = false ??? dns_lookup_kdc = true [root at a10 etc]# SETFQDN=`hostname -f` [root at a10 etc]# echo "NT Authentication test" NT Authentication test [root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls' Enter Administrator's password: session setup failed: NT_STATUS_LOGON_FAILURE [root at a10 etc]# echo "Kerberos Authentication" Kerberos Authentication [root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator kinit: Cannot find KDC for realm "MWLLC.INFO" while getting initial credentials [root at a10 etc]# smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: No such file or directory session setup failed: NT_STATUS_UNSUCCESSFUL [root at a10 etc]# kdestroy
On 22/04/15 15:04, L.P.H. van Belle wrote:> Are you sure you have the "correct" administrator password .. > > this should work , echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls' > that does not involve kerberos yet.. > > Please run: > > SETHOSTNAME=`hostname -s` > SETDNSDOMAIN=`hostname -d` > SETFQDN=`hostname -f` > > host -t SRV _ldap._tcp.${SETDNSDOMAIN}. > > host -t SRV _kerberos._udp.${SETDNSDOMAIN}. > > host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. > > and > cat /etc/hosts > > and these are your DC's ips? > > nameserver 75.75.76.76 > nameserver 75.75.75.75 > > > Greetz, > > Louis > > > > > > Van: Mike [mailto:1100100 at gmail.com] > Verzonden: woensdag 22 april 2015 15:45 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Cannot authenticate the administrator account > > > > > On Wed, Apr 22, 2015 at 7:27 AM, L.P.H. van Belle <belle at bazuin.nl> wrote: > can you try the following.. > and post the result back. > and /etc/resolv.conf > and /etc/krb5.conf > > copy past it, but set the admin pass fist. > then whats the output. > > SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE" > SETFQDN=`hostname -f` > > echo "NT Authentication test" > echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls' > > echo "Kerberos Authentication" > echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator > smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k > kdestroy > > > [root at a10 ~]# cat /etc/resolv.conf > # Generated by NetworkManager > search conpago.mwllc.info > nameserver 75.75.76.76 > nameserver 75.75.75.75 > [root at a10 etc]# cat krb5.conf > [libdefaults] > default_realm = MWLLC.INFO > dns_lookup_realm = false > dns_lookup_kdc = true > > > [root at a10 etc]# SETFQDN=`hostname -f` > [root at a10 etc]# echo "NT Authentication test" > NT Authentication test > [root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls' > Enter Administrator's password: > session setup failed: NT_STATUS_LOGON_FAILURE > [root at a10 etc]# echo "Kerberos Authentication" > Kerberos Authentication > [root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator > kinit: Cannot find KDC for realm "MWLLC.INFO" while getting initial credentials > [root at a10 etc]# smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k > cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: No such file or directory > session setup failed: NT_STATUS_UNSUCCESSFUL > [root at a10 etc]# kdestroy > > > >Hi Louis, did you miss this: [root at a10 ~]# cat /etc/resolv.conf # Generated by NetworkManager search conpago.mwllc.info nameserver 75.75.76.76 nameserver 75.75.75.75 His realm (from krb5.conf) is 'MWLLC.INFO' Rowland
L.P.H. van Belle
2015-Apr-22 15:09 UTC
[Samba] Cannot authenticate the administrator account
ahh. stupid me.. yes.. but this should have worked, with the correct pass.. echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls' Thanx for pointing me.. ;-) Greetz, Louis>-----Oorspronkelijk bericht----- >Van: rowlandpenny at googlemail.com >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: woensdag 22 april 2015 17:02 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Cannot authenticate the administrator account > >On 22/04/15 15:04, L.P.H. van Belle wrote: >> Are you sure you have the "correct" administrator password .. >> >> this should work , echo ${SAMBA_NT_ADMIN_PASS}| smbclient >//localhost/netlogon -U Administrator -c 'ls' >> that does not involve kerberos yet.. >> >> Please run: >> >> SETHOSTNAME=`hostname -s` >> SETDNSDOMAIN=`hostname -d` >> SETFQDN=`hostname -f` >> >> host -t SRV _ldap._tcp.${SETDNSDOMAIN}. >> >> host -t SRV _kerberos._udp.${SETDNSDOMAIN}. >> >> host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. >> >> and >> cat /etc/hosts >> >> and these are your DC's ips? >> >> nameserver 75.75.76.76 >> nameserver 75.75.75.75 >> >> >> Greetz, >> >> Louis >> >> >> >> >> >> Van: Mike [mailto:1100100 at gmail.com] >> Verzonden: woensdag 22 april 2015 15:45 >> Aan: L.P.H. van Belle >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] Cannot authenticate the administrator account >> >> >> >> >> On Wed, Apr 22, 2015 at 7:27 AM, L.P.H. van Belle ><belle at bazuin.nl> wrote: >> can you try the following.. >> and post the result back. >> and /etc/resolv.conf >> and /etc/krb5.conf >> >> copy past it, but set the admin pass fist. >> then whats the output. >> >> SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE" >> SETFQDN=`hostname -f` >> >> echo "NT Authentication test" >> echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon >-U Administrator -c 'ls' >> >> echo "Kerberos Authentication" >> echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator >> smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k >> kdestroy >> >> >> [root at a10 ~]# cat /etc/resolv.conf >> # Generated by NetworkManager >> search conpago.mwllc.info >> nameserver 75.75.76.76 >> nameserver 75.75.75.75 >> [root at a10 etc]# cat krb5.conf >> [libdefaults] >> default_realm = MWLLC.INFO >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> >> [root at a10 etc]# SETFQDN=`hostname -f` >> [root at a10 etc]# echo "NT Authentication test" >> NT Authentication test >> [root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS}| smbclient >//localhost/netlogon -U Administrator -c 'ls' >> Enter Administrator's password: >> session setup failed: NT_STATUS_LOGON_FAILURE >> [root at a10 etc]# echo "Kerberos Authentication" >> Kerberos Authentication >> [root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator >> kinit: Cannot find KDC for realm "MWLLC.INFO" while getting >initial credentials >> [root at a10 etc]# smbclient //${SETFQDN}/netlogon -U >Administrator -c 'ls' -k >> cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit >failed: No such file or directory >> session setup failed: NT_STATUS_UNSUCCESSFUL >> [root at a10 etc]# kdestroy >> >> >> >> > >Hi Louis, did you miss this: > >[root at a10 ~]# cat /etc/resolv.conf ># Generated by NetworkManager >search conpago.mwllc.info >nameserver 75.75.76.76 >nameserver 75.75.75.75 > >His realm (from krb5.conf) is 'MWLLC.INFO' > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
On 22/04/15 16:01, Rowland Penny wrote:> On 22/04/15 15:04, L.P.H. van Belle wrote: >> Are you sure you have the "correct" administrator password .. >> this should work , echo ${SAMBA_NT_ADMIN_PASS}| smbclient >> //localhost/netlogon -U Administrator -c 'ls' >> that does not involve kerberos yet.. >> Please run: >> SETHOSTNAME=`hostname -s` >> SETDNSDOMAIN=`hostname -d` >> SETFQDN=`hostname -f` >> >> host -t SRV _ldap._tcp.${SETDNSDOMAIN}. >> >> host -t SRV _kerberos._udp.${SETDNSDOMAIN}. >> host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. >> >> and >> cat /etc/hosts >> and these are your DC's ips? >> nameserver 75.75.76.76 >> nameserver 75.75.75.75 >> >> Greetz, >> Louis >> >> >> >> Van: Mike [mailto:1100100 at gmail.com] >> Verzonden: woensdag 22 april 2015 15:45 >> Aan: L.P.H. van Belle >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] Cannot authenticate the administrator account >> >> >> >> >> On Wed, Apr 22, 2015 at 7:27 AM, L.P.H. van Belle <belle at bazuin.nl> >> wrote: >> can you try the following.. >> and post the result back. >> and /etc/resolv.conf >> and /etc/krb5.conf >> >> copy past it, but set the admin pass fist. >> then whats the output. >> >> SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE" >> SETFQDN=`hostname -f` >> >> echo "NT Authentication test" >> echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U >> Administrator -c 'ls' >> >> echo "Kerberos Authentication" >> echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator >> smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k >> kdestroy >> >> >> [root at a10 ~]# cat /etc/resolv.conf >> # Generated by NetworkManager >> search conpago.mwllc.info >> nameserver 75.75.76.76 >> nameserver 75.75.75.75 >> [root at a10 etc]# cat krb5.conf >> [libdefaults] >> default_realm = MWLLC.INFO >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> >> [root at a10 etc]# SETFQDN=`hostname -f` >> [root at a10 etc]# echo "NT Authentication test" >> NT Authentication test >> [root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS}| smbclient >> //localhost/netlogon -U Administrator -c 'ls' >> Enter Administrator's password: >> session setup failed: NT_STATUS_LOGON_FAILURE >> [root at a10 etc]# echo "Kerberos Authentication" >> Kerberos Authentication >> [root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator >> kinit: Cannot find KDC for realm "MWLLC.INFO" while getting initial >> credentials >> [root at a10 etc]# smbclient //${SETFQDN}/netlogon -U Administrator -c >> 'ls' -k >> cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: No >> such file or directory >> session setup failed: NT_STATUS_UNSUCCESSFUL >> [root at a10 etc]# kdestroy >> >> >> >> > > Hi Louis, did you miss this: > > [root at a10 ~]# cat /etc/resolv.conf > # Generated by NetworkManager > search conpago.mwllc.info > nameserver 75.75.76.76 > nameserver 75.75.75.75 > > His realm (from krb5.conf) is 'MWLLC.INFO' > > Rowland >and another thing, why is NetworkManager setting /etc/resolv.conf anyway ? The DC ip info should be in /etc/network/interfaces (on debian) and network manager removed. Rowland
On 22/04/15 16:09, L.P.H. van Belle wrote:> ahh. stupid me.. yes.. > > but this should have worked, with the correct pass.. > echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls' > > Thanx for pointing me.. ;-) > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: rowlandpenny at googlemail.com >> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >> Verzonden: woensdag 22 april 2015 17:02 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Cannot authenticate the administrator account >> >> On 22/04/15 15:04, L.P.H. van Belle wrote: >>> Are you sure you have the "correct" administrator password .. >>> >>> this should work , echo ${SAMBA_NT_ADMIN_PASS}| smbclient >> //localhost/netlogon -U Administrator -c 'ls' >>> that does not involve kerberos yet.. >>> >>> Please run: >>> >>> SETHOSTNAME=`hostname -s` >>> SETDNSDOMAIN=`hostname -d` >>> SETFQDN=`hostname -f` >>> >>> host -t SRV _ldap._tcp.${SETDNSDOMAIN}. >>> >>> host -t SRV _kerberos._udp.${SETDNSDOMAIN}. >>> >>> host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. >>> >>> and >>> cat /etc/hosts >>> >>> and these are your DC's ips? >>> >>> nameserver 75.75.76.76 >>> nameserver 75.75.75.75 >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>> >>> >>> Van: Mike [mailto:1100100 at gmail.com] >>> Verzonden: woensdag 22 april 2015 15:45 >>> Aan: L.P.H. van Belle >>> CC: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Cannot authenticate the administrator account >>> >>> >>> >>> >>> On Wed, Apr 22, 2015 at 7:27 AM, L.P.H. van Belle >> <belle at bazuin.nl> wrote: >>> can you try the following.. >>> and post the result back. >>> and /etc/resolv.conf >>> and /etc/krb5.conf >>> >>> copy past it, but set the admin pass fist. >>> then whats the output. >>> >>> SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE" >>> SETFQDN=`hostname -f` >>> >>> echo "NT Authentication test" >>> echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon >> -U Administrator -c 'ls' >>> echo "Kerberos Authentication" >>> echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator >>> smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k >>> kdestroy >>> >>> >>> [root at a10 ~]# cat /etc/resolv.conf >>> # Generated by NetworkManager >>> search conpago.mwllc.info >>> nameserver 75.75.76.76 >>> nameserver 75.75.75.75 >>> [root at a10 etc]# cat krb5.conf >>> [libdefaults] >>> default_realm = MWLLC.INFO >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> >>> >>> [root at a10 etc]# SETFQDN=`hostname -f` >>> [root at a10 etc]# echo "NT Authentication test" >>> NT Authentication test >>> [root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS}| smbclient >> //localhost/netlogon -U Administrator -c 'ls' >>> Enter Administrator's password: >>> session setup failed: NT_STATUS_LOGON_FAILURE >>> [root at a10 etc]# echo "Kerberos Authentication" >>> Kerberos Authentication >>> [root at a10 etc]# echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator >>> kinit: Cannot find KDC for realm "MWLLC.INFO" while getting >> initial credentials >>> [root at a10 etc]# smbclient //${SETFQDN}/netlogon -U >> Administrator -c 'ls' -k >>> cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit >> failed: No such file or directory >>> session setup failed: NT_STATUS_UNSUCCESSFUL >>> [root at a10 etc]# kdestroy >>> >>> >>> >>> >> Hi Louis, did you miss this: >> >> [root at a10 ~]# cat /etc/resolv.conf >> # Generated by NetworkManager >> search conpago.mwllc.info >> nameserver 75.75.76.76 >> nameserver 75.75.75.75 >> >> His realm (from krb5.conf) is 'MWLLC.INFO' >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >>yes, but (yet another thing) what is in /etc/hosts ? Rowland
On Wed, Apr 22, 2015 at 10:04 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:> Are you sure you have the "correct" administrator password .. > > this should work , echo ${SAMBA_NT_ADMIN_PASS}| smbclient > //localhost/netlogon -U Administrator -c 'ls' > that does not involve kerberos yet.. > > Please run: > > SETHOSTNAME=`hostname -s` > SETDNSDOMAIN=`hostname -d` > SETFQDN=`hostname -f` > > host -t SRV _ldap._tcp.${SETDNSDOMAIN}. > > host -t SRV _kerberos._udp.${SETDNSDOMAIN}. > > host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. > and > cat /etc/hosts > > and these are your DC's ips? > > nameserver 75.75.76.76 > nameserver 75.75.75.75 > > Greetz, > > Louis > >Hi Louis, I'm definitely using the same Administrator password; wrote it down during provisioning. For my DC's nameservers ---- might I have this wrong? Those ip's are my ISP's nameservers - Xfinity Comcast. The actual CentOS server box static ip is 10.10.1.225. Do I need to delete the ISP nameservers and go with 10.10.1.225? Thank you for all the follow up. Mike
On Wed, Apr 22, 2015 at 11:09 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:> but this should have worked, with the correct pass.. > echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U > Administrator -c 'ls' > >Something almost worked ---- [root at a10 ~]# echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls' Enter Administrator's password: Anonymous login successful Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7] tree connect failed: NT_STATUS_ACCESS_DENIED [root at a10 ~]#
On 22/04/15 16:28, Mike wrote:> On Wed, Apr 22, 2015 at 10:04 AM, L.P.H. van Belle <belle at bazuin.nl> wrote: > >> Are you sure you have the "correct" administrator password .. >> >> this should work , echo ${SAMBA_NT_ADMIN_PASS}| smbclient >> //localhost/netlogon -U Administrator -c 'ls' >> that does not involve kerberos yet.. >> >> Please run: >> >> SETHOSTNAME=`hostname -s` >> SETDNSDOMAIN=`hostname -d` >> SETFQDN=`hostname -f` >> >> host -t SRV _ldap._tcp.${SETDNSDOMAIN}. >> >> host -t SRV _kerberos._udp.${SETDNSDOMAIN}. >> >> host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. >> and >> cat /etc/hosts >> >> and these are your DC's ips? >> >> nameserver 75.75.76.76 >> nameserver 75.75.75.75 >> >> Greetz, >> >> Louis >> >> > Hi Louis, > > I'm definitely using the same Administrator password; wrote it down during > provisioning. > > For my DC's nameservers ---- might I have this wrong? Those ip's are my > ISP's nameservers - Xfinity Comcast. > The actual CentOS server box static ip is 10.10.1.225. Do I need to delete > the ISP nameservers and go with 10.10.1.225? > > Thank you for all the follow up. > > MikeHow should I put this politely, you have to point the DC at itself if you only have one DC, if you have two Dcs, then point one at the other, then itself: The kerberos realm must be the same as your DNS domain and it is advised that this is not resolvable from the internet. i.e. if you have one DC and your registered DNS domain is example.com and the ipaddress of the DC is 192.168.0.2, then resolv.conf should contain: search internal.example.com nameserver 192.168.0.2 Or if you have two Dcs and the ipaddress of the second DC is 192.168.0.3: First DC (192.168.0.2): search internal.example.com nameserver 192.168.0.3 nameserver 192.168.0.2 Second DC (192.168.0.3): search internal.example.com nameserver 192.168.0.2 nameserver 192.168.0.3 You can replace 'internal' with anything you like and you do not have to use it for the domain/workgroup, but whatever you use, 'hostname -d' must show this domain name and you *MUST* use this as the realm name when you provision. Anything that is outside the samba4 AD domain is forwarded to the forwarder set in smb.conf, in your case 'dns forwarder = 75.75.76.76' Rowland