[Samba] NT_STATUS_CONNECTION_REFUSED

Wed Jan 27 11:29:25 UTC 2016

On 27 January 2016 at 21:45, Rowland penny <rpenny at samba.org> wrote:

> On 27/01/16 10:07, Henry McLaughlin wrote:
>
>> On 27 January 2016 at 20:27, Rowland penny <rpenny at samba.org> wrote:
>>
>> On 27/01/16 01:03, Henry McLaughlin wrote:
>>>
>>> On 27 January 2016 at 08:24, Rowland penny <rpenny at samba.org> wrote:
>>>>
>>>> On 26/01/16 20:54, Henry McLaughlin wrote:
>>>>
>>>>> [root at centos7member ~]# net rpc rights list accounts
>>>>>
>>>>>> -U'TESTING\administrator'
>>>>>> Enter TESTING\administrator's password:
>>>>>> Could not connect to server 127.0.0.1
>>>>>> Connection failed: NT_STATUS_CONNECTION_REFUSED
>>>>>> [root at centos7member ~]#
>>>>>>
>>>>>>
>>>>>>
>>>>>> This looks like a dns problem, it is trying to connect to localhost
>>>>>>
>>>>> instead of your DC, check /etc/resolv.conf and /etc/krb5.conf
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>>> [root at centos7pdc ~]# cat /etc/resolv.conf
>>>>>
>>>> search testing.domain.com.au
>>>> nameserver 192.168.1.10
>>>>
>>>> [root at centos7member ~]# cat /etc/krb5.conf
>>>> [logging]
>>>>    default = FILE:/var/log/krb5libs.log
>>>>    kdc = FILE:/var/log/krb5kdc.log
>>>>    admin_server = FILE:/var/log/kadmind.log
>>>>
>>>> [libdefaults]
>>>>    dns_lookup_realm = false
>>>>    ticket_lifetime = 24h
>>>>    renew_lifetime = 7d
>>>>    forwardable = true
>>>>    rdns = false
>>>> # default_realm = EXAMPLE.COM
>>>>    default_ccache_name = KEYRING:persistent:%{uid}
>>>>
>>>> [realms]
>>>> # EXAMPLE.COM = {
>>>> #  kdc = kerberos.example.com
>>>> #  admin_server = kerberos.example.com
>>>> # }
>>>>
>>>> [domain_realm]
>>>> # .example.com = EXAMPLE.COM
>>>> # example.com = EXAMPLE.COM
>>>>
>>>>
>>>> Looks like krb5.conf is unconfigured. Is there a Samba guide as to how
>>>> this
>>>> should be configured or a std template?
>>>>
>>>> OK, I missed this before:
>>>
>>> you have in smb.conf:
>>>
>>>         username map = /etc/samba/user.map
>>>
>>> with the corresponding user.map
>>>
>>> !root = TESTING\Administrator TESTING\administrator
>>>
>>> you also posted:
>>>
>>> [root at centos7member ~]# getent passwd administrator
>>> administrator:*:10500:10513:Administrator:/home/administrator:/sbin/bash
>>>
>>> You are mapping Administrator to root, but have also given Administrator
>>> a
>>> uidNumber attribute (10500)
>>>
>>> I would suggest that you remove the uidNumber attribute (and any other
>>> rfc2307 attributes) from Administrators AD object and depend on the
>>> mapping
>>> instead. I am unsure if this will fix your problem, but it is a good
>>> place
>>> to start.
>>>
>>> Rowland
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>> Hi Rowland, I understood that idmap rid did not need me to assign UIDs &
>> GIDs in ADUC as these were auto calculated based upon the sid. Accordingly
>> I have assigned NO unix attributes in ADUC.
>>
>
> Quite correct, but you still shouldn't be getting a response from 'getent'
> for administrator, if run getent on a domain member I get this:
>
> rowland at debnet:~$ getent passwd administrator
> rowland at debnet:~$
>
> Whilst on a DC, I get this:
>
> root at dc1:~# getent passwd administrator
> SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
> root at dc1:~#
>
> As you can see, Administrator has a UID of '0'  and this is also the UID
> of root.
>
> This is on debian, I think you may have a mis-configuration in PAM.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

I have no idea where to start here. I was trailing CentOS7 as it had a more
up to date Samba version.

Can you confirm that Ubuntu 14.04 is stable as an AD DC and as an AD Member
using RID? If so then I'll go back to what I know best.