[Samba] NT_STATUS_CONNECTION_REFUSED

Rowland penny rpenny at samba.org
Wed Jan 27 09:27:52 UTC 2016 

On 27/01/16 01:03, Henry McLaughlin wrote:
> On 27 January 2016 at 08:24, Rowland penny <rpenny at samba.org> wrote:
>
>> On 26/01/16 20:54, Henry McLaughlin wrote:
>>
>>> [root at centos7member ~]# net rpc rights list accounts
>>> -U'TESTING\administrator'
>>> Enter TESTING\administrator's password:
>>> Could not connect to server 127.0.0.1
>>> Connection failed: NT_STATUS_CONNECTION_REFUSED
>>> [root at centos7member ~]#
>>>
>>>
>>>
>> This looks like a dns problem, it is trying to connect to localhost
>> instead of your DC, check /etc/resolv.conf and /etc/krb5.conf
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> [root at centos7pdc ~]# cat /etc/resolv.conf
> search testing.domain.com.au
> nameserver 192.168.1.10
>
> [root at centos7member ~]# cat /etc/krb5.conf
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>   dns_lookup_realm = false
>   ticket_lifetime = 24h
>   renew_lifetime = 7d
>   forwardable = true
>   rdns = false
> # default_realm = EXAMPLE.COM
>   default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> # EXAMPLE.COM = {
> #  kdc = kerberos.example.com
> #  admin_server = kerberos.example.com
> # }
>
> [domain_realm]
> # .example.com = EXAMPLE.COM
> # example.com = EXAMPLE.COM
>
>
> Looks like krb5.conf is unconfigured. Is there a Samba guide as to how this
> should be configured or a std template?

OK, I missed this before:

you have in smb.conf:

        username map = /etc/samba/user.map

with the corresponding user.map

!root = TESTING\Administrator TESTING\administrator

you also posted:

[root at centos7member ~]# getent passwd administrator
administrator:*:10500:10513:Administrator:/home/administrator:/sbin/bash

You are mapping Administrator to root, but have also given Administrator 
a uidNumber attribute (10500)

I would suggest that you remove the uidNumber attribute (and any other 
rfc2307 attributes) from Administrators AD object and depend on the 
mapping instead. I am unsure if this will fix your problem, but it is a 
good place to start.

Rowland

More information about the samba mailing list