[Samba] member joined, but...
Rowland Penny
rowlandpenny at googlemail.com
Wed Apr 2 03:12:16 MDT 2014
On 02/04/14 09:20, L.P.H. van Belle wrote:
> Ok finally found 1 error. I appriciate any suggestion where to look.. :-)
>
> SPNEGO login failed: Logon failure
>
> smbtree -d3 -N
>
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
> Processing section "[global]"
> added interface eth0 ip=192.168.1.240 bcast=192.168.1.255 netmask=255.255.255.0
> Connecting to 192.168.1.240 at port 445
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088215
> SPNEGO login failed: Logon failure
> BAZRTD
> Connecting to 192.168.1.240 at port 445
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088215
> SPNEGO login failed: Logon failure
> \\MEMBERSERVER1 Samba 4.1.6-SerNet-Debian-7.wheezy
> Connecting to 192.168.1.240 at port 445
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088215
> SPNEGO login failed: Logon failure
> \\MEMBERSERVER1\IPC$ IPC Service (Samba 4.1.6-SerNet-Debian-7.wheezy)
> \\MEMBERSERVER1\software
> \\MEMBERSERVER1\data
> \\MEMBERSERVER1\profiles$
> \\MEMBERSERVER1\home
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org]
>> Namens L.P.H. van Belle
>> Verzonden: woensdag 2 april 2014 10:11
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] member joined, but...
>>
>>
>> I really dont get it. :-(
>> so if anyone has any tip for me please...
>> i need this also for my print server...
>>
>> wbinfo -a "INTERNAL\Administrator%Mypassword"
>> plaintext password authentication succeeded
>> challenge/response password authentication succeeded
>>
>> net rpc group members users -U Administrator -d5
>> NTLMSSP_NEGOTIATE_128
>> NTLMSSP_NEGOTIATE_KEY_EXCH
>> SPNEGO login failed: Logon failure
>> Could not connect to server 127.0.0.1
>> The username or password was not correct.
>> Connection failed: NT_STATUS_LOGON_FAILURE
>> failed to make ipc connection: NT_STATUS_LOGON_FAILURE
>> return code = -1
>> Opening cache file at /var/cache/samba/gencache.tdb
>> Opening cache file at /var/cache/samba/gencache_notrans.tdb
>>
>>
>> net -S rtd-dc1.internal.domain.tld rpc group members users -U
>> INTERNAL\\Administrator -d5
>> Bind RPC Pipe: host rtd-dc1.internal.domain.tld auth_type 0,
>> auth_level 1
>> rpc_api_pipe: host rtd-dc1.internal.domain.tld
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host rtd-dc1.internal.domain.tld
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host rtd-dc1.internal.domain.tld
>> rpc_read_send: data_to_read: 84
>> rpc_api_pipe: host rtd-dc1.internal.domain.tld
>> rpc_read_send: data_to_read: 32
>> Bind RPC Pipe: host rtd-dc1.internal.domain.tld auth_type 0,
>> auth_level 1
>> rpc_api_pipe: host rtd-dc1.internal.domain.tld
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host rtd-dc1.internal.domain.tld
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host rtd-dc1.internal.domain.tld
>> rpc_read_send: data_to_read: 32
>> rpc_api_pipe: host rtd-dc1.internal.domain.tld
>> rpc_read_send: data_to_read: 44
>> rpc_api_pipe: host rtd-dc1.internal.domain.tld
>> rpc_read_send: data_to_read: 32
>> rpc command function failed! (NT_STATUS_NO_SUCH_ALIAS)
>> return code = -1
>>
>>
>>
>> and the log of the member joining the AD Domain :
>>
>> Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: starting
>> transaction on zone internal.domain.tld
>> Apr 1 16:37:56 rtd-dc1 named[1993]: client
>> 192.168.1.240#45737: updating zone 'internal.domain.tld/NONE':
>> update unsuccessful: rtd-mem-001.internal.domain.tld/A: 'RRset
>> exists (value dependent)' prerequisite not satisfied (NXRRSET)
>> Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: cancelling
>> transaction on zone internal.domain.tld
>> Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: starting
>> transaction on zone internal.domain.tld
>> Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: spnego update failed
>> Apr 1 16:37:56 rtd-dc1 named[1993]: client
>> 192.168.1.240#45737: updating zone 'internal.domain.tld/NONE':
>> update failed: rejected by secure update (REFUSED)
>> Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: cancelling
>> transaction on zone internal.domain.tld
>> Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: starting
>> transaction on zone internal.domain.tld
>> Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: allowing
>> update of signer=RTD-MEM-001\$\@INTERNAL.DOMAIN.TLD
>> name=rtd-mem-001.internal.domain.tld tcpaddr=192.168.1.240
>> type=A key=2c894e72-89f7-4a15-b76f-73cc99c998dd/160/0
>> Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: allowing
>> update of signer=RTD-MEM-001\$\@INTERNAL.DOMAIN.TLD
>> name=rtd-mem-001.internal.domain.tld tcpaddr=192.168.1.240
>> type=A key=2c894e72-89f7-4a15-b76f-73cc99c998dd/160/0
>> Apr 1 16:37:56 rtd-dc1 named[1993]: client
>> 192.168.1.240#45737: updating zone 'internal.domain.tld/NONE':
>> deleting rrset at 'rtd-mem-001.internal.domain.tld' A
>> Apr 1 16:37:56 rtd-dc1 named[1993]: client
>> 192.168.1.240#45737: updating zone 'internal.domain.tld/NONE':
>> adding an RR at 'rtd-mem-001.internal.domain.tld' A
>> Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: added
>> rtd-mem-001.internal.domain.tld
>> rtd-mem-001.internal.domain.tld.#0113600#011IN#011A#011192.168.1.240
>> Apr 1 16:37:56 rtd-dc1 named[1993]: samba_dlz: subtracted
>> rdataset internal.domain.tld
>> 'internal.domain.tld.#0113600#011IN#011SOA#011rtd-dc1.internal.
>> domain.tld. hostmaster.internal.domain.tld. 12 900 600 86400 0'
>> Apr 1 16:37:57 rtd-dc1 named[1993]: samba_dlz: added rdataset
>> internal.domain.tld
>> 'internal.domain.tld.#0113600#011IN#011SOA#011rtd-dc1.internal.
>> domain.tld. hostmaster.internal.domain.tld. 13 900 600 86400 0'
>> Apr 1 16:37:57 rtd-dc1 named[1993]: samba_dlz: committed
>> transaction on zone internal.domain.tld
>>
>>
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org]
>>> Namens L.P.H. van Belle
>>> Verzonden: woensdag 2 april 2014 8:25
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] member joined, but...
>>>
>>> Hai Rowland,
>>>
>>> wel this is in it, is the same as for the 2 DC ( and are ips
>>> nameserver in resolv.conf )
>>>
>>> resolv.conf
>>> search internal.domain.tld
>>> domain internal.domain.tld
>>> nameserver 192.168.1.1
>>> nameserver 192.168.1.2
>>>
>>> krb5.conf
>>> [libdefaults]
>>> dns_lookup_realm = true
>>> dns_lookup_kdc = true
>>> default_realm = INTERNAL.DOMAIN.TLD
>>>
>>>
>>> i dont get it.
>>> software installed ( from the script i run )
>>> apt-get install sernet-samba sernet-samba-winbind fam acl
>> attr quota -y
>>> samba set to classic.
>>> did kerberos setup.
>>> checked with klist -e
>>> joined the domain with : net ads join -U Administrator
>>> started up samba :
>>> /etc/init.d/sernet-samba-smbd start
>>> /etc/init.d/sernet-samba-nmbd start
>>> /etc/init.d/sernet-samba-winbindd start
>>>
>>> /etc/pam.d/samba
>>> # copy from /etc/pam.d/common-auth - authentication
>>> settings common to all services
>>> #
>>> auth sufficient pam_winbind.so
>>> auth [success=1 default=ignore] pam_unix.so
>>> nullok_secure use_first_pass
>>> auth requisite pam_deny.so
>>> auth required pam_permit.so
>>>
>>> # copy from /etc/pam.d/common-account - authorization
>>> settings common to all services
>>> #
>>> account sufficient pam_winbind.so
>>> account [success=1 new_authtok_reqd=done default=ignore]
>>> pam_unix.so
>>> account requisite pam_deny.so
>>> account required pam_permit.so
>>>
>>> # copy from /etc/pam.d/common-session - session-related
>>> modules common to all services
>>> #
>>> session required pam_mkhomedir.so
>>> session required pam_winbind.so
>>> session [default=1] pam_permit.so
>>> session requisite pam_deny.so
>>> session required pam_permit.so
>>> session required pam_unix.so
>>>
>>> nsswitch.conf
>>> passwd: compat winbind
>>> group: compat winbind
>>> shadow: compat
>>>
>>> hosts: files dns
>>> networks: files
>>>
>>> protocols: db files
>>> services: db files
>>> ethers: db files
>>> rpc: db files
>>>
>>>
>>> wbinfo -u
>>> wbinfo -g
>>> is ok, i get the users and groups.
>>>
>>> getent passwd works ( if i set uid/gid in the unix tab of the
>>> users/group)
>>>
>>> so looks all fine to me... so whats going on.. i dont see it.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org]
>>>> Namens L.P.H. van Belle
>>>> Verzonden: dinsdag 1 april 2014 17:00
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] member joined, but...
>>>>
>>>> Hai,
>>>>
>>>> I have automated the install of my member server.
>>>> Followed the wiki :
>>>> https://wiki.samba.org/index.php/Samba/Domain_Member
>>>>
>>>> Everything works nicely, but... .. read on.. ;-)
>>>>
>>>> ok, so wiki says:
>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares
>>>>
>>>> and now im at the point : SeDiskOperatorPrivilege
>>>> and .. for the DC's installed this worked without problems...
>>>>
>>>> but for the domain member. im getting ...
>>>>
>>>> net rpc rights list accounts -Uadministrator
>>>> Enter administrator's password:
>>>> Could not connect to server 127.0.0.1
>>>> The username or password was not correct.
>>>> Connection failed: NT_STATUS_LOGON_FAILURE
>>>>
>>>> net -S servername rpc rights list accounts -Uadministrator
>>>> Enter administrator's password:
>>>> Could not connect to server rtd-mem-001
>>>> The username or password was not correct.
>>>> Connection failed: NT_STATUS_LOGON_FAILURE
>>>>
>>>> net -S servername.internal.domain.tld rpc rights list accounts
>>>> -Uadministrator
>>>> Enter administrator's password:
>>>> Could not connect to server servername.internal.domain.tld
>>>> The username or password was not correct.
>>>> Connection failed: NT_STATUS_LOGON_FAILURE
>>>>
>>>> and ofcourse setting the Se right didnt work
>>>>
>>>> net rpc rights grant 'MYDOMAIN\Domain Admins'
>>>> SeDiskOperatorPrivilege -Uadministrator
>>>> Enter administrator's password:
>>>> Could not connect to server 127.0.0.1
>>>> The username or password was not correct.
>>>> Connection failed: NT_STATUS_LOGON_FAILURE
>>>>
>>>>
>>>> so..
>>>> /etc/hosts ( checked )
>>>> /etc/nsswitch.conf ( checked )
>>>> /etc/resolv.conf (check)
>>>> /var/log/samba/ all logs checked, no errors at all.
>>>> kinit Administrator ( checked )
>>>>
>>>> /etc/samba/smb.conf
>>>>
>>>> [global]
>>>>
>>>> workgroup = INTERNAL
>>>> security = ADS
>>>> realm = INTERNAL.DOMAIN.TLD
>>>>
>>>> idmap config *:backend = tdb
>>>> idmap config *:range = 500001-800000
>>>> idmap config BAZRTD:backend = ad
>>>> idmap config BAZRTD:schema_mode = rfc2307
>>>> idmap config BAZRTD:range = 10000-400000
>>>>
>>>> winbind nss info = rfc2307
>>>> winbind trusted domains only = no
>>>> winbind use default domain = yes
>>>> #winbind enum users = yes
>>>> #winbind enum groups = yes
>>>>
>>>> template shell = /bin/bash
>>>> template homedir = /home/samba/DOMAIN/%USERNAME%
>>>>
>>>> # For ACL support on member server
>>>> vfs objects = acl_xattr
>>>> map acl inherit = Yes
>>>> store dos attributes = Yes
>>>>
>>>> # disable printing completely
>>>> load printers = no
>>>> printing = bsd
>>>> printcap name = /dev/null
>>>> disable spoolss = yes
>>>>
>>>>
>>>>
>>>> Anyone an idee?
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
Hi Louis, this is from an ubuntu 14.04 VM running debian 4.1.5 packages
(it was a test, ok), the command 'sudo net rpc rights list accounts
-Uadministrator' works.
Differences in the confs you posted are:
# /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = true
# /etc/pam.d/samba
@include common-auth
@include common-account
@include common-session-noninteractive
# /etc/pam.d/common-auth
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
# /etc/pam.d/common-account
# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
# /etc/pam.d/common-session-noninteractive
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote
sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_winbind.so
# end of pam-auth-update config
Hope this helps ;-)
Rowland
More information about the samba
mailing list