[Samba] member joined, but...
L.P.H. van Belle
belle at bazuin.nl
Wed Apr 2 02:20:17 MDT 2014
Ok finally found 1 error. I appriciate any suggestion where to look.. :-)
SPNEGO login failed: Logon failure
smbtree -d3 -N
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=192.168.1.240 bcast=192.168.1.255 netmask=255.255.255.0
Connecting to 192.168.1.240 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
SPNEGO login failed: Logon failure
BAZRTD
Connecting to 192.168.1.240 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
SPNEGO login failed: Logon failure
\\MEMBERSERVER1 Samba 4.1.6-SerNet-Debian-7.wheezy
Connecting to 192.168.1.240 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
SPNEGO login failed: Logon failure
\\MEMBERSERVER1\IPC$ IPC Service (Samba 4.1.6-SerNet-Debian-7.wheezy)
\\MEMBERSERVER1\software
\\MEMBERSERVER1\data
\\MEMBERSERVER1\profiles$
\\MEMBERSERVER1\home
>-----Oorspronkelijk bericht-----
>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org]
>Namens L.P.H. van Belle
>Verzonden: woensdag 2 april 2014 10:11
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] member joined, but...
>
>
>I really dont get it. :-(
>so if anyone has any tip for me please...
>i need this also for my print server...
>
>wbinfo -a "INTERNAL\Administrator%Mypassword"
>plaintext password authentication succeeded
>challenge/response password authentication succeeded
>
>net rpc group members users -U Administrator -d5
>NTLMSSP_NEGOTIATE_128
>NTLMSSP_NEGOTIATE_KEY_EXCH
>SPNEGO login failed: Logon failure
>Could not connect to server 127.0.0.1
>The username or password was not correct.
>Connection failed: NT_STATUS_LOGON_FAILURE
>failed to make ipc connection: NT_STATUS_LOGON_FAILURE
>return code = -1
>Opening cache file at /var/cache/samba/gencache.tdb
>Opening cache file at /var/cache/samba/gencache_notrans.tdb
>
>
>net -S rtd-dc1.internal.domain.tld rpc group members users -U
>INTERNAL\\Administrator -d5
>Bind RPC Pipe: host rtd-dc1.internal.domain.tld auth_type 0,
>auth_level 1
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 52
>check_bind_response: accepted!
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 32
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 84
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 32
>Bind RPC Pipe: host rtd-dc1.internal.domain.tld auth_type 0,
>auth_level 1
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 52
>check_bind_response: accepted!
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 32
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 32
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 44
>rpc_api_pipe: host rtd-dc1.internal.domain.tld
>rpc_read_send: data_to_read: 32
>rpc command function failed! (NT_STATUS_NO_SUCH_ALIAS)
>return code = -1
>
>
>
>and the log of the member joining the AD Domain :
>
>Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: starting
>transaction on zone internal.domain.tld
>Apr 1 16:37:56 rtd-dc1 named[1993]: client
>192.168.1.240#45737: updating zone 'internal.domain.tld/NONE':
>update unsuccessful: rtd-mem-001.internal.domain.tld/A: 'RRset
>exists (value dependent)' prerequisite not satisfied (NXRRSET)
>Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: cancelling
>transaction on zone internal.domain.tld
>Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: starting
>transaction on zone internal.domain.tld
>Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: spnego update failed
>Apr 1 16:37:56 rtd-dc1 named[1993]: client
>192.168.1.240#45737: updating zone 'internal.domain.tld/NONE':
>update failed: rejected by secure update (REFUSED)
>Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: cancelling
>transaction on zone internal.domain.tld
>Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: starting
>transaction on zone internal.domain.tld
>Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: allowing
>update of signer=RTD-MEM-001\$\@INTERNAL.DOMAIN.TLD
>name=rtd-mem-001.internal.domain.tld tcpaddr=192.168.1.240
>type=A key=2c894e72-89f7-4a15-b76f-73cc99c998dd/160/0
>Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: allowing
>update of signer=RTD-MEM-001\$\@INTERNAL.DOMAIN.TLD
>name=rtd-mem-001.internal.domain.tld tcpaddr=192.168.1.240
>type=A key=2c894e72-89f7-4a15-b76f-73cc99c998dd/160/0
>Apr 1 16:37:56 rtd-dc1 named[1993]: client
>192.168.1.240#45737: updating zone 'internal.domain.tld/NONE':
>deleting rrset at 'rtd-mem-001.internal.domain.tld' A
>Apr 1 16:37:56 rtd-dc1 named[1993]: client
>192.168.1.240#45737: updating zone 'internal.domain.tld/NONE':
>adding an RR at 'rtd-mem-001.internal.domain.tld' A
>Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: added
>rtd-mem-001.internal.domain.tld
>rtd-mem-001.internal.domain.tld.#0113600#011IN#011A#011192.168.1.240
>Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: subtracted
>rdataset internal.domain.tld
>'internal.domain.tld.#0113600#011IN#011SOA#011rtd-dc1.internal.
>domain.tld. hostmaster.internal.domain.tld. 12 900 600 86400 0'
>Apr 1 16:37:57 rtd-dc1 named[1993]: samba_dlz: added rdataset
>internal.domain.tld
>'internal.domain.tld.#0113600#011IN#011SOA#011rtd-dc1.internal.
>domain.tld. hostmaster.internal.domain.tld. 13 900 600 86400 0'
>Apr 1 16:37:57 rtd-dc1 named[1993]: samba_dlz: committed
>transaction on zone internal.domain.tld
>
>
>
>
>
>>-----Oorspronkelijk bericht-----
>>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org]
>>Namens L.P.H. van Belle
>>Verzonden: woensdag 2 april 2014 8:25
>>Aan: samba at lists.samba.org
>>Onderwerp: Re: [Samba] member joined, but...
>>
>>Hai Rowland,
>>
>>wel this is in it, is the same as for the 2 DC ( and are ips
>>nameserver in resolv.conf )
>>
>>resolv.conf
>>search internal.domain.tld
>>domain internal.domain.tld
>>nameserver 192.168.1.1
>>nameserver 192.168.1.2
>>
>>krb5.conf
>>[libdefaults]
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> default_realm = INTERNAL.DOMAIN.TLD
>>
>>
>>i dont get it.
>>software installed ( from the script i run )
>>apt-get install sernet-samba sernet-samba-winbind fam acl
>attr quota -y
>>samba set to classic.
>>did kerberos setup.
>>checked with klist -e
>>joined the domain with : net ads join -U Administrator
>>started up samba :
>>/etc/init.d/sernet-samba-smbd start
>>/etc/init.d/sernet-samba-nmbd start
>>/etc/init.d/sernet-samba-winbindd start
>>
>>/etc/pam.d/samba
>># copy from /etc/pam.d/common-auth - authentication
>>settings common to all services
>>#
>>auth sufficient pam_winbind.so
>>auth [success=1 default=ignore] pam_unix.so
>>nullok_secure use_first_pass
>>auth requisite pam_deny.so
>>auth required pam_permit.so
>>
>># copy from /etc/pam.d/common-account - authorization
>>settings common to all services
>>#
>>account sufficient pam_winbind.so
>>account [success=1 new_authtok_reqd=done default=ignore]
>> pam_unix.so
>>account requisite pam_deny.so
>>account required pam_permit.so
>>
>># copy from /etc/pam.d/common-session - session-related
>>modules common to all services
>>#
>>session required pam_mkhomedir.so
>>session required pam_winbind.so
>>session [default=1] pam_permit.so
>>session requisite pam_deny.so
>>session required pam_permit.so
>>session required pam_unix.so
>>
>>nsswitch.conf
>>passwd: compat winbind
>>group: compat winbind
>>shadow: compat
>>
>>hosts: files dns
>>networks: files
>>
>>protocols: db files
>>services: db files
>>ethers: db files
>>rpc: db files
>>
>>
>>wbinfo -u
>>wbinfo -g
>>is ok, i get the users and groups.
>>
>>getent passwd works ( if i set uid/gid in the unix tab of the
>>users/group)
>>
>>so looks all fine to me... so whats going on.. i dont see it.
>>
>>Greetz,
>>
>>Louis
>>
>>>-----Oorspronkelijk bericht-----
>>>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org]
>>>Namens L.P.H. van Belle
>>>Verzonden: dinsdag 1 april 2014 17:00
>>>Aan: samba at lists.samba.org
>>>Onderwerp: [Samba] member joined, but...
>>>
>>>Hai,
>>>
>>>I have automated the install of my member server.
>>>Followed the wiki :
>>>https://wiki.samba.org/index.php/Samba/Domain_Member
>>>
>>>Everything works nicely, but... .. read on.. ;-)
>>>
>>>ok, so wiki says:
>>>https://wiki.samba.org/index.php/Setup_and_configure_file_shares
>>>
>>>and now im at the point : SeDiskOperatorPrivilege
>>>and .. for the DC's installed this worked without problems...
>>>
>>>but for the domain member. im getting ...
>>>
>>>net rpc rights list accounts -Uadministrator
>>>Enter administrator's password:
>>>Could not connect to server 127.0.0.1
>>>The username or password was not correct.
>>>Connection failed: NT_STATUS_LOGON_FAILURE
>>>
>>>net -S servername rpc rights list accounts -Uadministrator
>>>Enter administrator's password:
>>>Could not connect to server rtd-mem-001
>>>The username or password was not correct.
>>>Connection failed: NT_STATUS_LOGON_FAILURE
>>>
>>>net -S servername.internal.domain.tld rpc rights list accounts
>>>-Uadministrator
>>>Enter administrator's password:
>>>Could not connect to server servername.internal.domain.tld
>>>The username or password was not correct.
>>>Connection failed: NT_STATUS_LOGON_FAILURE
>>>
>>>and ofcourse setting the Se right didnt work
>>>
>>>net rpc rights grant 'MYDOMAIN\Domain Admins'
>>>SeDiskOperatorPrivilege -Uadministrator
>>>Enter administrator's password:
>>>Could not connect to server 127.0.0.1
>>>The username or password was not correct.
>>>Connection failed: NT_STATUS_LOGON_FAILURE
>>>
>>>
>>>so..
>>>/etc/hosts ( checked )
>>>/etc/nsswitch.conf ( checked )
>>>/etc/resolv.conf (check)
>>>/var/log/samba/ all logs checked, no errors at all.
>>>kinit Administrator ( checked )
>>>
>>>/etc/samba/smb.conf
>>>
>>>[global]
>>>
>>> workgroup = INTERNAL
>>> security = ADS
>>> realm = INTERNAL.DOMAIN.TLD
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 500001-800000
>>> idmap config BAZRTD:backend = ad
>>> idmap config BAZRTD:schema_mode = rfc2307
>>> idmap config BAZRTD:range = 10000-400000
>>>
>>> winbind nss info = rfc2307
>>> winbind trusted domains only = no
>>> winbind use default domain = yes
>>> #winbind enum users = yes
>>> #winbind enum groups = yes
>>>
>>> template shell = /bin/bash
>>> template homedir = /home/samba/DOMAIN/%USERNAME%
>>>
>>> # For ACL support on member server
>>> vfs objects = acl_xattr
>>> map acl inherit = Yes
>>> store dos attributes = Yes
>>>
>>> # disable printing completely
>>> load printers = no
>>> printing = bsd
>>> printcap name = /dev/null
>>> disable spoolss = yes
>>>
>>>
>>>
>>>Anyone an idee?
>>>
>>>
>>>
>>>
>>>--
>>>To unsubscribe from this list go to the following URL and read the
>>>instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list