[Samba] Cannot authenticate the administrator account
L.P.H. van Belle
belle at bazuin.nl
Wed Apr 22 05:27:30 MDT 2015
can you try the following..
and post the result back.
and /etc/resolv.conf
and /etc/krb5.conf
copy past it, but set the admin pass fist.
then whats the output.
SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE"
SETFQDN=`hostname -f`
echo "NT Authentication test"
echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U Administrator -c 'ls'
echo "Kerberos Authentication"
echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator
smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k
kdestroy
>-----Oorspronkelijk bericht-----
>Van: 1100100 at gmail.com [mailto:samba-bounces at lists.samba.org]
>Namens Mike
>Verzonden: woensdag 22 april 2015 13:14
>Aan: samba
>Onderwerp: [Samba] Cannot authenticate the administrator account
>
>AD DC default shares are okay after provisioning -
>smbclient -L localhost -U%:
>
>Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
>
> Sharename Type Comment
> --------- ---- -------
> netlogon Disk
> sysvol Disk
> IPC$ IPC IPC Service (Samba
>4.1.17-SerNet-RedHat-11.el7)
>Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
>
> Server Comment
> --------- -------
>
> Workgroup Master
> --------- -------
>
>Cannot authenticate the administrator account -
>smbclient //localhost/netlogon -UAdministrator -c 'ls'
>Enter Administrator's password:
>session setup failed: NT_STATUS_LOGON_FAILURE
>
>- - - - - - - - - - - - - - - - - -
>I turned up the log level to 3 and found the following:
>
>[2015/04/22 06:17:54.074716, 0]
>../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: RuntimeError: kinit for
>A10$@MWLLC.INFO failed
>(Cannot contact any KDC for requested realm)
>
>A10 is the server hostname, CONPAGO is the domain, and
>MWLLC.INFO is the
>realm.
>
>-----------------------------------------
> ps axf | egrep "samba|smbd|nmbd|winbindd"
> 886 pts/5 S+ 0:00 \_ grep -E --color=auto
>samba|smbd|nmbd|winbindd
>32620 ? Ss 0:00 samba
>32621 ? S 0:00 \_ samba
>32623 ? Ss 0:00 | \_ /usr/sbin/smbd -D
>--option=server role
>check:inhibit=yes --foreground
>32637 ? S 0:00 | \_ /usr/sbin/smbd -D
>--option=server
>role check:inhibit=yes --foreground
>32622 ? S 0:00 \_ samba
>32624 ? S 0:00 \_ samba
>32625 ? S 0:00 \_ samba
>32626 ? S 0:00 \_ samba
>32627 ? S 0:00 \_ samba
>32628 ? S 0:00 \_ samba
>32629 ? S 0:00 \_ samba
>32630 ? S 0:00 \_ samba
>32631 ? S 0:00 \_ samba
>32632 ? S 0:00 \_ samba
>32633 ? S 0:00 \_ samba
>32634 ? S 0:00 \_ samba
>
>The above looks the same as the troubleshooting page.
>---------------------------------------------------------------
>---------
>
>Cannot figure out why kerberos authentication fails.
>
>Also notice nmbd and winbindd logs that say, "server role = 'active
>directory domain controller' not compatible with running the
><<nmbd>> and
><<winbindd>> binary.
> You should start 'samba' instead, and it will control starting the
>internal AD DC <<nmbd>> and <<winbindd>> implementation, which
>is not the
>same as this one."
>
>However, I did execute using "samba".
>
>samba-tool testparm -v ---
>
># Global parameters
>[global]
> dos charset = CP850
> unix charset = UTF8
> workgroup = CONPAGO
> realm = MWLLC.INFO
> netbios name = A10
> netbios aliases =
> netbios scope =
> server string = Samba 4.1.17-SerNet-RedHat-11.el7
> interfaces = lo, eno1
> bind interfaces only = Yes
> config backend = file
> server role = active directory domain controller
> security = AUTO
> auth methods =
> encrypt passwords = Yes
> client schannel = No
> server schannel = No
> allow trusted domains = No
> map to guest = Never
> null passwords = No
> obey pam restrictions = No
> password server = *
> smb passwd file =
> private dir = /var/lib/samba/private
> passdb backend =
> algorithmic rid base = 0
> root directory =
> guest account =
> enable privileges = No
> pam password change = No
> passwd program =
> passwd chat = *new*password* %n\n *new*password* %n\n *changed*
> passwd chat debug = No
> passwd chat timeout = 0
> check password script =
> username map =
> username level = 0
> unix password sync = No
> restrict anonymous = 0
> lanman auth = No
> ntlm auth = Yes
> client NTLMv2 auth = Yes
> client lanman auth = No
> client plaintext auth = No
> client use spnego principal = No
> preload modules =
> dedicated keytab file =
> kerberos method = default
> map untrusted to domain = No
> log level = 3
> syslog = 1
> syslog only = No
> log file =
> max log size = 0
> debug timestamp = Yes
> debug prefix timestamp = No
> debug hires timestamp = Yes
> debug pid = No
> debug uid = No
> debug class = No
> enable core files = No
> smb ports = 445, 139
> large readwrite = Yes
> server max protocol = NT1
> server min protocol = CORE
> client max protocol = NT1
> client min protocol = CORE
> unicode = Yes
> min receivefile size = 0
> read raw = Yes
> write raw = Yes
> disable netbios = No
> reset on zero vc = No
> log writeable files on exit = No
> defer sharing violations = No
> nt pipe support = No
> nt status support = Yes
> max mux = 50
> max xmit = 12288
> name resolve order = wins, host, bcast
> max ttl = 0
> max wins ttl = 518400
> min wins ttl = 10
> time server = No
> unix extensions = No
> use spnego = Yes
> client signing = default
> server signing = default
> client use spnego = No
> client ldap sasl wrapping = plain
> enable asu support = No
> svcctl list =
> cldap port = 389
> dgram port = 138
> nbt port = 137
> krb5 port = 88
> kpasswd port = 464
> web port = 901
> rpc big endian = No
> deadtime = 0
> getwd cache = No
> keepalive = 0
> lpq cache time = 0
> max smbd processes = 0
> max disk size = 0
> max open files = 0
> socket options = TCP_NODELAY
> use mmap = Yes
> use ntdb = No
> hostname lookups = No
> name cache timeout = 0
> ctdbd socket =
> cluster addresses =
> clustering = No
> ctdb timeout = 0
> ctdb locktime warn threshold = 0
> smb2 max read = 0
> smb2 max write = 0
> smb2 max trans = 0
> smb2 max credits = 0
> load printers = No
> printcap cache time = 0
> printcap name =
> cups server =
> cups encrypt = No
> cups connection timeout = 0
> iprint server =
> disable spoolss = No
> addport command =
> enumports command =
> addprinter command =
> deleteprinter command =
> show add printer wizard = No
> os2 driver map =
> mangling method =
> mangle prefix = 0
> max stat cache size = 0
> stat cache = No
> machine password timeout = 0
> add user script =
> rename user script =
> delete user script =
> add group script =
> delete group script =
> add user to group script =
> delete user from group script =
> set primary group script =
> add machine script =
> shutdown script =
> abort shutdown script =
> username map script =
> username map cache time = 0
> logon script =
> logon path =
> logon drive =
> logon home =
> domain logons = No
> init logon delayed hosts =
> init logon delay = 0
> os level = 0
> lm announce = No
> lm interval = 0
> preferred master = Auto
> local master = Yes
> domain master = Auto
> browse list = No
> enhanced browsing = No
> dns proxy = Yes
> wins proxy = No
> wins server =
> wins support = No
> wins hook =
> lock spin time = 0
> oplock break wait time = 0
> ldap admin dn =
> ldap delete dn = No
> ldap group suffix =
> ldap idmap suffix =
> ldap machine suffix =
> ldap passwd sync = yes
> ldap replication sleep = 0
> ldap suffix =
> ldap ssl = no
> ldap ssl ads = No
> ldap deref = never
> ldap follow referral = No
> ldap timeout = 0
> ldap connection timeout = 0
> ldap page size = 0
> ldap user suffix =
> ldap debug level = 0
> ldap debug threshold = 0
> eventlog list =
> add share command =
> change share command =
> delete share command =
> config file =
> preload =
> lock directory = /var/cache/samba
> state directory = /var/lib/samba
> cache directory = /var/cache/samba
> pid directory = /var/run/samba
> ntp signd socket directory = /var/lib/samba/ntp_signd
> utmp directory =
> wtmp directory =
> utmp = No
> default service =
> message command =
> get quota command =
> set quota command =
> remote announce =
> remote browse sync =
> nbt client socket address =
> nmbd bind explicit broadcast = No
> homedir map =
> afs username map =
> afs token lifetime = 0
> log nt token command =
> NIS homedir = No
> registry shares = No
> usershare allow guests = No
> usershare max shares = 0
> usershare owner only = No
> usershare path =
> usershare prefix allow list =
> usershare prefix deny list =
> usershare template share =
> allow insecure wide links = No
> async smb echo handler = No
> panic action =
> perfcount module =
> host msdfs = Yes
> passdb expand explicit = No
> idmap backend =
> idmap cache time = 0
> idmap negative cache time = 0
> idmap uid =
> idmap gid =
> template homedir = /home/%WORKGROUP%/%ACCOUNTNAME%
> template shell = /bin/false
> winbind separator = \
> winbind cache time = 0
> winbind reconnect delay = 0
> winbind request timeout = 0
> winbind max clients = 0
> winbind enum users = No
> winbind enum groups = No
> winbind use default domain = No
> winbind trusted domains only = No
> winbind nested groups = No
> winbind expand groups = 0
> winbind nss info =
> winbind refresh tickets = No
> winbind offline logon = No
> winbind normalize names = No
> winbind rpc only = No
> create krb5 conf = No
> ncalrpc dir = /var/run/samba/ncalrpc
> winbind max domain connections = 0
> winbindd socket directory = /var/run/samba/winbindd
> winbindd privileged socket directory =
>/var/lib/samba/winbindd_privileged
> winbind sealed pipes = Yes
> allow dns updates = secure only
> dns forwarder = 75.75.76.76
> dns update command = /usr/sbin/samba_dnsupdate
> nsupdate command = /usr/bin/nsupdate -g
> rndc command = /usr/sbin/rndc
> multicast dns register = No
> samba kcc command = /usr/sbin/samba_kcc
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>kdc, drepl,
>winbind, ntp_signd, kcc, dnsupdate, dns
> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo,
>browser, eventlog6,
>backupkey, dnsserver
> spn update command = /usr/sbin/samba_spnupdate
> share backend = classic
> tls enabled = Yes
> tls keyfile = tls/key.pem
> tls certfile = tls/cert.pem
> tls cafile = tls/ca.pem
> tls crlfile =
> tls dh params file =
> idmap_ldb:use rfc2307 = yes
> prefork children:smb = 4
> registry:hkey_users = hku.ldb
> registry:hkey_local_machine = hklm.ldb
>
>[netlogon]
> path = /var/lib/samba/sysvol/mwllc.info/scripts
> read only = No
>
>[sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>(END)
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list