[Samba] member joined, but...

L.P.H. van Belle belle at bazuin.nl
Wed Apr 2 02:20:17 MDT 2014


Ok finally found 1 error. I appriciate any suggestion where to look..  :-) 

SPNEGO login failed: Logon failure

smbtree -d3 -N

lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=192.168.1.240 bcast=192.168.1.255 netmask=255.255.255.0
Connecting to 192.168.1.240 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
SPNEGO login failed: Logon failure
BAZRTD
Connecting to 192.168.1.240 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
SPNEGO login failed: Logon failure
        \\MEMBERSERVER1                   Samba 4.1.6-SerNet-Debian-7.wheezy
Connecting to 192.168.1.240 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
SPNEGO login failed: Logon failure
                \\MEMBERSERVER1\IPC$              IPC Service (Samba 4.1.6-SerNet-Debian-7.wheezy)
                \\MEMBERSERVER1\software
                \\MEMBERSERVER1\data
                \\MEMBERSERVER1\profiles$
                \\MEMBERSERVER1\home

 

>-----Oorspronkelijk bericht-----
>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org] 
>Namens L.P.H. van Belle
>Verzonden: woensdag 2 april 2014 10:11
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] member joined, but...
>
>
>I really dont get it.  :-( 
>so if anyone has any tip for me please... 
>i need this also for my print server... 
>
>wbinfo -a "INTERNAL\Administrator%Mypassword"
>plaintext password authentication succeeded
>challenge/response password authentication succeeded
>
>net rpc group members users  -U Administrator -d5
>NTLMSSP_NEGOTIATE_128
>NTLMSSP_NEGOTIATE_KEY_EXCH
>SPNEGO login failed: Logon failure
>Could not connect to server 127.0.0.1
>The username or password was not correct.
>Connection failed: NT_STATUS_LOGON_FAILURE
>failed to make ipc connection: NT_STATUS_LOGON_FAILURE
>return code = -1
>Opening cache file at /var/cache/samba/gencache.tdb
>Opening cache file at /var/cache/samba/gencache_notrans.tdb
>
>
>net -S rtd-dc1.internal.domain.tld rpc group members users  -U 
>INTERNAL\\Administrator -d5
>Bind RPC Pipe: host rtd-dc1.internal.domain.tld auth_type 0, 
>auth_level 1
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 52
>check_bind_response: accepted!
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 32
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 84
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 32
>Bind RPC Pipe: host rtd-dc1.internal.domain.tld auth_type 0, 
>auth_level 1
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 52
>check_bind_response: accepted!
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 32
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 32
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 44
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 32
>rpc command function failed! (NT_STATUS_NO_SUCH_ALIAS)
>return code = -1
>
>
>
>and the log of the member joining the AD Domain :
>
>Apr  1 16:37:56 rtd-dc1 named[1993]: samba_dlz: starting 
>transaction on zone internal.domain.tld
>Apr  1 16:37:56 rtd-dc1 named[1993]: client 
>192.168.1.240#45737: updating zone 'internal.domain.tld/NONE': 
>update unsuccessful: rtd-mem-001.internal.domain.tld/A: 'RRset 
>exists (value dependent)' prerequisite not satisfied (NXRRSET)
>Apr  1 16:37:56 rtd-dc1 named[1993]: samba_dlz: cancelling 
>transaction on zone internal.domain.tld
>Apr  1 16:37:56 rtd-dc1 named[1993]: samba_dlz: starting 
>transaction on zone internal.domain.tld
>Apr  1 16:37:56 rtd-dc1 named[1993]: samba_dlz: spnego update failed
>Apr  1 16:37:56 rtd-dc1 named[1993]: client 
>192.168.1.240#45737: updating zone 'internal.domain.tld/NONE': 
>update failed: rejected by secure update (REFUSED)
>Apr  1 16:37:56 rtd-dc1 named[1993]: samba_dlz: cancelling 
>transaction on zone internal.domain.tld
>Apr  1 16:37:56 rtd-dc1 named[1993]: samba_dlz: starting 
>transaction on zone internal.domain.tld
>Apr  1 16:37:56 rtd-dc1 named[1993]: samba_dlz: allowing 
>update of signer=RTD-MEM-001\$\@INTERNAL.DOMAIN.TLD 
>name=rtd-mem-001.internal.domain.tld tcpaddr=192.168.1.240 
>type=A key=2c894e72-89f7-4a15-b76f-73cc99c998dd/160/0
>Apr  1 16:37:56 rtd-dc1 named[1993]: samba_dlz: allowing 
>update of signer=RTD-MEM-001\$\@INTERNAL.DOMAIN.TLD 
>name=rtd-mem-001.internal.domain.tld tcpaddr=192.168.1.240 
>type=A key=2c894e72-89f7-4a15-b76f-73cc99c998dd/160/0
>Apr  1 16:37:56 rtd-dc1 named[1993]: client 
>192.168.1.240#45737: updating zone 'internal.domain.tld/NONE': 
>deleting rrset at 'rtd-mem-001.internal.domain.tld' A
>Apr  1 16:37:56 rtd-dc1 named[1993]: client 
>192.168.1.240#45737: updating zone 'internal.domain.tld/NONE': 
>adding an RR at 'rtd-mem-001.internal.domain.tld' A
>Apr  1 16:37:56 rtd-dc1 named[1993]: samba_dlz: added 
>rtd-mem-001.internal.domain.tld 
>rtd-mem-001.internal.domain.tld.#0113600#011IN#011A#011192.168.1.240
>Apr  1 16:37:56 rtd-dc1 named[1993]: samba_dlz: subtracted 
>rdataset internal.domain.tld 
>'internal.domain.tld.#0113600#011IN#011SOA#011rtd-dc1.internal.
>domain.tld. hostmaster.internal.domain.tld. 12 900 600 86400 0'
>Apr  1 16:37:57 rtd-dc1 named[1993]: samba_dlz: added rdataset 
>internal.domain.tld 
>'internal.domain.tld.#0113600#011IN#011SOA#011rtd-dc1.internal.
>domain.tld. hostmaster.internal.domain.tld. 13 900 600 86400 0'
>Apr  1 16:37:57 rtd-dc1 named[1993]: samba_dlz: committed 
>transaction on zone internal.domain.tld
> 
>
>
>
>
>>-----Oorspronkelijk bericht-----
>>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org] 
>>Namens L.P.H. van Belle
>>Verzonden: woensdag 2 april 2014 8:25
>>Aan: samba at lists.samba.org
>>Onderwerp: Re: [Samba] member joined, but...
>>
>>Hai Rowland, 
>>
>>wel this is in it, is the same as for the 2 DC ( and are ips 
>>nameserver in resolv.conf ) 
>>
>>resolv.conf  
>>search internal.domain.tld
>>domain internal.domain.tld
>>nameserver 192.168.1.1
>>nameserver 192.168.1.2
>>
>>krb5.conf 
>>[libdefaults]
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> default_realm = INTERNAL.DOMAIN.TLD 
>>
>>
>>i dont get it. 
>>software installed ( from the script i run ) 
>>apt-get install sernet-samba sernet-samba-winbind fam acl 
>attr quota -y
>>samba set to classic. 
>>did kerberos setup. 
>>checked with klist -e
>>joined the domain with : net ads join -U Administrator
>>started up samba : 
>>/etc/init.d/sernet-samba-smbd start
>>/etc/init.d/sernet-samba-nmbd start
>>/etc/init.d/sernet-samba-winbindd start
>>
>>/etc/pam.d/samba  
>># copy from /etc/pam.d/common-auth      - authentication 
>>settings common to all services
>>#
>>auth    sufficient                      pam_winbind.so
>>auth    [success=1 default=ignore]      pam_unix.so 
>>nullok_secure use_first_pass
>>auth    requisite                       pam_deny.so
>>auth    required                        pam_permit.so
>>
>># copy from /etc/pam.d/common-account   - authorization 
>>settings common to all services
>>#
>>account sufficient pam_winbind.so
>>account [success=1 new_authtok_reqd=done default=ignore]       
>> pam_unix.so
>>account requisite                       pam_deny.so
>>account required                        pam_permit.so
>>
>># copy from /etc/pam.d/common-session   - session-related 
>>modules common to all services
>>#
>>session required                        pam_mkhomedir.so
>>session required                        pam_winbind.so
>>session [default=1]                     pam_permit.so
>>session requisite                       pam_deny.so
>>session required                        pam_permit.so
>>session required                        pam_unix.so
>>
>>nsswitch.conf
>>passwd:         compat winbind
>>group:          compat winbind
>>shadow:         compat
>>
>>hosts:          files dns
>>networks:       files
>>
>>protocols:      db files
>>services:       db files
>>ethers:         db files
>>rpc:            db files
>>
>>
>>wbinfo -u
>>wbinfo -g
>>is ok, i get the users and groups. 
>>
>>getent passwd works ( if i set uid/gid in the unix tab of the 
>>users/group) 
>>
>>so looks all fine to me...  so whats going on.. i dont see it. 
>>
>>Greetz, 
>>
>>Louis
>>
>>>-----Oorspronkelijk bericht-----
>>>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org] 
>>>Namens L.P.H. van Belle
>>>Verzonden: dinsdag 1 april 2014 17:00
>>>Aan: samba at lists.samba.org
>>>Onderwerp: [Samba] member joined, but...
>>>
>>>Hai, 
>>> 
>>>I have automated the install of my member server. 
>>>Followed the wiki : 
>>>https://wiki.samba.org/index.php/Samba/Domain_Member 
>>> 
>>>Everything works nicely, but... .. read on..  ;-) 
>>> 
>>>ok, so wiki says: 
>>>https://wiki.samba.org/index.php/Setup_and_configure_file_shares 
>>> 
>>>and now im at the point : SeDiskOperatorPrivilege 
>>>and .. for the DC's installed this worked without problems... 
>>> 
>>>but for the domain member. im getting ... 
>>> 
>>>net rpc rights list accounts -Uadministrator
>>>Enter administrator's password:
>>>Could not connect to server 127.0.0.1
>>>The username or password was not correct.
>>>Connection failed: NT_STATUS_LOGON_FAILURE
>>>
>>>net -S servername rpc rights list accounts -Uadministrator
>>>Enter administrator's password:
>>>Could not connect to server rtd-mem-001
>>>The username or password was not correct.
>>>Connection failed: NT_STATUS_LOGON_FAILURE
>>>
>>>net -S servername.internal.domain.tld rpc rights list accounts 
>>>-Uadministrator
>>>Enter administrator's password:
>>>Could not connect to server servername.internal.domain.tld
>>>The username or password was not correct.
>>>Connection failed: NT_STATUS_LOGON_FAILURE
>>>
>>>and ofcourse setting the Se right didnt work 
>>> 
>>>net rpc rights grant 'MYDOMAIN\Domain Admins' 
>>>SeDiskOperatorPrivilege -Uadministrator
>>>Enter administrator's password:
>>>Could not connect to server 127.0.0.1
>>>The username or password was not correct.
>>>Connection failed: NT_STATUS_LOGON_FAILURE
>>>
>>> 
>>>so.. 
>>>/etc/hosts ( checked ) 
>>>/etc/nsswitch.conf ( checked ) 
>>>/etc/resolv.conf (check) 
>>>/var/log/samba/ all logs checked, no errors at all. 
>>>kinit Administrator  ( checked ) 
>>> 
>>>/etc/samba/smb.conf
>>> 
>>>[global]
>>> 
>>>   workgroup = INTERNAL
>>>   security = ADS
>>>   realm = INTERNAL.DOMAIN.TLD
>>> 
>>>   idmap config *:backend = tdb
>>>   idmap config *:range = 500001-800000
>>>   idmap config BAZRTD:backend = ad
>>>   idmap config BAZRTD:schema_mode = rfc2307
>>>   idmap config BAZRTD:range = 10000-400000
>>> 
>>>   winbind nss info = rfc2307
>>>   winbind trusted domains only = no
>>>   winbind use default domain = yes
>>>   #winbind enum users  = yes
>>>   #winbind enum groups = yes
>>> 
>>>   template shell = /bin/bash
>>>   template homedir = /home/samba/DOMAIN/%USERNAME%
>>> 
>>>   # For ACL support on member server
>>>   vfs objects = acl_xattr
>>>   map acl inherit = Yes
>>>   store dos attributes = Yes
>>> 
>>>   # disable printing completely
>>>   load printers = no
>>>   printing = bsd
>>>   printcap name = /dev/null
>>>   disable spoolss = yes
>>> 
>>> 
>>> 
>>>Anyone an idee? 
>>> 
>>> 
>>> 
>>>
>>>-- 
>>>To unsubscribe from this list go to the following URL and read the
>>>instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>>-- 
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list