[Samba] NT_STATUS_CONNECTION_REFUSED, again!!!

Rowland Penny rowlandpenny at googlemail.com
Fri Feb 27 11:22:50 MST 2015 

On 27/02/15 18:00, Bob of Donelson Trophy wrote:
>   
>
> Thanks Rowland.
>
> Being the novice that I am, I thought the line would 'pickup' my DOMAIN
> and replace the ${SAMBA_NT_DOMAIN}. So, I just tried the line correctly
> and it asked for my Administrator password and subsequently granted
> access. At least I know I can go and correct manually, if I need too.
>
> My /etc/resolv.conf is:
>
> root at dt01:~# cat /etc/resolv.conf
>
> search dts***m.dt
>
> nameserver 192.168.16.51
>
> The nameserver is resolving to "itself", the DC01. (As you know, this is
> created through the script.)
>
> The "wbinfo -g" says that "Domain Admins" is indeed in the groups.
>
> ---
>
> -------------------------
>
> Bob Wooden of Donelson Trophy
>
> 615.885.2846 (main)
> www.donelsontrophy.com [1]
>
> "Everyone deserves an award!!"
>
> On 2015-02-27 11:43, Rowland Penny wrote:
>
>> On 27/02/15 17:28, Bob of Donelson Trophy wrote:
>>
>>> I thought I was over this the other day when I got it to work properly on my VM. Now, on an actual PC I am getting: ==========Test kerberos =============================== Lets test some things Testing : kerberos Password for Administrator at DTSHRM.DT: Warning: Your password will expire in 41 days on Fri Apr 10 08:43:58 2015 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator at DTSHRM.DT Valid starting Expires Service principal 27/02/2015 07:45 27/02/2015 17:45 krbtgt/DTSHRM.DT at DTSHRM.DT renew until 28/02/2015 07:45, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 ==========SE Privileges =============================== Enter Administrator's password: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_CONNECTION_REFUSED I snipped some excess<<<<<<<< Enter Administrator's password: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_CONNECTION_REFUSED Enter Administrator's password: Successfully granted rights. Ent
>   er
> Administrator's password: I snipped some excess<<<<<<<<<<< Enter Administrator's password: Successfully granted rights. ==========Test DNS Records =============================== Testing : dns entries testing of : host -t SRV _ldap._tcp.dtshrm.dt. : ok testing of : host -t SRV _kerberos._udp.dtshrm.dt. : ok testing of : host -t A dtdc01.dtshrm.dt. : ok I snipped the ending<<<<< I have had the chance to try this several times (thanks to backups) and each time a different number of failures and then "Successfully granted rights." Generally there are anywhere from 12 to 17 failures across two attempts (that I paid close attention too, out of five tries.) And, because I have two identical computers (one that will become DC1 and the other DC2) I switched machines, just to make sure it wasn't a hardware issue. It's not! When I run one of the failed script line manually, I get: root at dc01:~# echo ${SAMBA_NT_ADMIN_PASS}| net rpc rights grant "${SAMBA_NT_DOMAIN}Domain Admins"
> SeDiskOperatorPrivilege -UAdministrator Enter Administrator's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE That might have failed because . . . . so, I tried this: root at dc01:~# net rpc rights grant "${SAMBA_NT_DOMAIN}Domain Admins" SeDiskOperatorPrivilege -UAdministrator Enter Administrator's password: Failed to grant privileges for Domain Admins (NT_STATUS_NO_SUCH_USER) So, the script is not creating the "Domain Admins"? Confused, for sure!!!!
>> Hi Bob, what have you got in /etc/resolv.conf ?
>>
>> I also take it that when you ran the lines manually, you replaced the variables with the correct info.
>>
>> The script doesn't create Domain Admins, this is done by the provision, run 'wbinfo -g' this should print all your domain groups.
>>
>> Rowland
>   
>
> Links:
> ------
> [1] http://www.donelsontrophy.com

OK, I have had a look at Louis's script and the line that is failing is 
this:

echo ${SETNTPASSWD}| net rpc rights grant ${SETNTDOM}\\"Domain Admins" 
SeDiskOperatorPrivilege -UAdministrator

                                                  I 'think' the problem 
is here    ^

If you want to escape a character in bash you use the '\' character and 
I 'think' what is happening is that, instead of escaping the other '\' 
it is actually escaping the double quotes character

Try replacing that line with this:

echo ${SETNTPASSWD}| net rpc rights grant ${SETNTDOM}\\Domain\ Admins 
SeDiskOperatorPrivilege -UAdministrator

Rowland

More information about the samba mailing list