[Samba] Cannot authenticate the administrator account
Mike
1100100 at gmail.com
Wed Apr 22 05:37:32 MDT 2015
Thanks for your help, LPH - - - I am commuting to work right now.......will
try it when I can get through a few daily hurdles at the office. :-)
On Wed, Apr 22, 2015 at 7:27 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:
> can you try the following..
> and post the result back.
> and /etc/resolv.conf
> and /etc/krb5.conf
>
> copy past it, but set the admin pass fist.
> then whats the output.
>
> SAMBA_NT_ADMIN_PASS="PUT_YOUR-ADMINISTRATOR_PASSWORD_HERE"
> SETFQDN=`hostname -f`
>
> echo "NT Authentication test"
> echo ${SAMBA_NT_ADMIN_PASS}| smbclient //localhost/netlogon -U
> Administrator -c 'ls'
>
> echo "Kerberos Authentication"
> echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator
> smbclient //${SETFQDN}/netlogon -U Administrator -c 'ls' -k
> kdestroy
>
>
>
>
>
> >-----Oorspronkelijk bericht-----
> >Van: 1100100 at gmail.com [mailto:samba-bounces at lists.samba.org]
> >Namens Mike
> >Verzonden: woensdag 22 april 2015 13:14
> >Aan: samba
> >Onderwerp: [Samba] Cannot authenticate the administrator account
> >
> >AD DC default shares are okay after provisioning -
> >smbclient -L localhost -U%:
> >
> >Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
> >
> > Sharename Type Comment
> > --------- ---- -------
> > netlogon Disk
> > sysvol Disk
> > IPC$ IPC IPC Service (Samba
> >4.1.17-SerNet-RedHat-11.el7)
> >Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
> >
> > Server Comment
> > --------- -------
> >
> > Workgroup Master
> > --------- -------
> >
> >Cannot authenticate the administrator account -
> >smbclient //localhost/netlogon -UAdministrator -c 'ls'
> >Enter Administrator's password:
> >session setup failed: NT_STATUS_LOGON_FAILURE
> >
> >- - - - - - - - - - - - - - - - - -
> >I turned up the log level to 3 and found the following:
> >
> >[2015/04/22 06:17:54.074716, 0]
> >../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
> > /usr/sbin/samba_dnsupdate: RuntimeError: kinit for
> >A10$@MWLLC.INFO failed
> >(Cannot contact any KDC for requested realm)
> >
> >A10 is the server hostname, CONPAGO is the domain, and
> >MWLLC.INFO is the
> >realm.
> >
> >-----------------------------------------
> > ps axf | egrep "samba|smbd|nmbd|winbindd"
> > 886 pts/5 S+ 0:00 \_ grep -E --color=auto
> >samba|smbd|nmbd|winbindd
> >32620 ? Ss 0:00 samba
> >32621 ? S 0:00 \_ samba
> >32623 ? Ss 0:00 | \_ /usr/sbin/smbd -D
> >--option=server role
> >check:inhibit=yes --foreground
> >32637 ? S 0:00 | \_ /usr/sbin/smbd -D
> >--option=server
> >role check:inhibit=yes --foreground
> >32622 ? S 0:00 \_ samba
> >32624 ? S 0:00 \_ samba
> >32625 ? S 0:00 \_ samba
> >32626 ? S 0:00 \_ samba
> >32627 ? S 0:00 \_ samba
> >32628 ? S 0:00 \_ samba
> >32629 ? S 0:00 \_ samba
> >32630 ? S 0:00 \_ samba
> >32631 ? S 0:00 \_ samba
> >32632 ? S 0:00 \_ samba
> >32633 ? S 0:00 \_ samba
> >32634 ? S 0:00 \_ samba
> >
> >The above looks the same as the troubleshooting page.
> >---------------------------------------------------------------
> >---------
> >
> >Cannot figure out why kerberos authentication fails.
> >
> >Also notice nmbd and winbindd logs that say, "server role = 'active
> >directory domain controller' not compatible with running the
> ><<nmbd>> and
> ><<winbindd>> binary.
> > You should start 'samba' instead, and it will control starting the
> >internal AD DC <<nmbd>> and <<winbindd>> implementation, which
> >is not the
> >same as this one."
> >
> >However, I did execute using "samba".
> >
> >samba-tool testparm -v ---
> >
> ># Global parameters
> >[global]
> > dos charset = CP850
> > unix charset = UTF8
> > workgroup = CONPAGO
> > realm = MWLLC.INFO
> > netbios name = A10
> > netbios aliases =
> > netbios scope =
> > server string = Samba 4.1.17-SerNet-RedHat-11.el7
> > interfaces = lo, eno1
> > bind interfaces only = Yes
> > config backend = file
> > server role = active directory domain controller
> > security = AUTO
> > auth methods =
> > encrypt passwords = Yes
> > client schannel = No
> > server schannel = No
> > allow trusted domains = No
> > map to guest = Never
> > null passwords = No
> > obey pam restrictions = No
> > password server = *
> > smb passwd file =
> > private dir = /var/lib/samba/private
> > passdb backend =
> > algorithmic rid base = 0
> > root directory =
> > guest account =
> > enable privileges = No
> > pam password change = No
> > passwd program =
> > passwd chat = *new*password* %n\n *new*password* %n\n *changed*
> > passwd chat debug = No
> > passwd chat timeout = 0
> > check password script =
> > username map =
> > username level = 0
> > unix password sync = No
> > restrict anonymous = 0
> > lanman auth = No
> > ntlm auth = Yes
> > client NTLMv2 auth = Yes
> > client lanman auth = No
> > client plaintext auth = No
> > client use spnego principal = No
> > preload modules =
> > dedicated keytab file =
> > kerberos method = default
> > map untrusted to domain = No
> > log level = 3
> > syslog = 1
> > syslog only = No
> > log file =
> > max log size = 0
> > debug timestamp = Yes
> > debug prefix timestamp = No
> > debug hires timestamp = Yes
> > debug pid = No
> > debug uid = No
> > debug class = No
> > enable core files = No
> > smb ports = 445, 139
> > large readwrite = Yes
> > server max protocol = NT1
> > server min protocol = CORE
> > client max protocol = NT1
> > client min protocol = CORE
> > unicode = Yes
> > min receivefile size = 0
> > read raw = Yes
> > write raw = Yes
> > disable netbios = No
> > reset on zero vc = No
> > log writeable files on exit = No
> > defer sharing violations = No
> > nt pipe support = No
> > nt status support = Yes
> > max mux = 50
> > max xmit = 12288
> > name resolve order = wins, host, bcast
> > max ttl = 0
> > max wins ttl = 518400
> > min wins ttl = 10
> > time server = No
> > unix extensions = No
> > use spnego = Yes
> > client signing = default
> > server signing = default
> > client use spnego = No
> > client ldap sasl wrapping = plain
> > enable asu support = No
> > svcctl list =
> > cldap port = 389
> > dgram port = 138
> > nbt port = 137
> > krb5 port = 88
> > kpasswd port = 464
> > web port = 901
> > rpc big endian = No
> > deadtime = 0
> > getwd cache = No
> > keepalive = 0
> > lpq cache time = 0
> > max smbd processes = 0
> > max disk size = 0
> > max open files = 0
> > socket options = TCP_NODELAY
> > use mmap = Yes
> > use ntdb = No
> > hostname lookups = No
> > name cache timeout = 0
> > ctdbd socket =
> > cluster addresses =
> > clustering = No
> > ctdb timeout = 0
> > ctdb locktime warn threshold = 0
> > smb2 max read = 0
> > smb2 max write = 0
> > smb2 max trans = 0
> > smb2 max credits = 0
> > load printers = No
> > printcap cache time = 0
> > printcap name =
> > cups server =
> > cups encrypt = No
> > cups connection timeout = 0
> > iprint server =
> > disable spoolss = No
> > addport command =
> > enumports command =
> > addprinter command =
> > deleteprinter command =
> > show add printer wizard = No
> > os2 driver map =
> > mangling method =
> > mangle prefix = 0
> > max stat cache size = 0
> > stat cache = No
> > machine password timeout = 0
> > add user script =
> > rename user script =
> > delete user script =
> > add group script =
> > delete group script =
> > add user to group script =
> > delete user from group script =
> > set primary group script =
> > add machine script =
> > shutdown script =
> > abort shutdown script =
> > username map script =
> > username map cache time = 0
> > logon script =
> > logon path =
> > logon drive =
> > logon home =
> > domain logons = No
> > init logon delayed hosts =
> > init logon delay = 0
> > os level = 0
> > lm announce = No
> > lm interval = 0
> > preferred master = Auto
> > local master = Yes
> > domain master = Auto
> > browse list = No
> > enhanced browsing = No
> > dns proxy = Yes
> > wins proxy = No
> > wins server =
> > wins support = No
> > wins hook =
> > lock spin time = 0
> > oplock break wait time = 0
> > ldap admin dn =
> > ldap delete dn = No
> > ldap group suffix =
> > ldap idmap suffix =
> > ldap machine suffix =
> > ldap passwd sync = yes
> > ldap replication sleep = 0
> > ldap suffix =
> > ldap ssl = no
> > ldap ssl ads = No
> > ldap deref = never
> > ldap follow referral = No
> > ldap timeout = 0
> > ldap connection timeout = 0
> > ldap page size = 0
> > ldap user suffix =
> > ldap debug level = 0
> > ldap debug threshold = 0
> > eventlog list =
> > add share command =
> > change share command =
> > delete share command =
> > config file =
> > preload =
> > lock directory = /var/cache/samba
> > state directory = /var/lib/samba
> > cache directory = /var/cache/samba
> > pid directory = /var/run/samba
> > ntp signd socket directory = /var/lib/samba/ntp_signd
> > utmp directory =
> > wtmp directory =
> > utmp = No
> > default service =
> > message command =
> > get quota command =
> > set quota command =
> > remote announce =
> > remote browse sync =
> > nbt client socket address =
> > nmbd bind explicit broadcast = No
> > homedir map =
> > afs username map =
> > afs token lifetime = 0
> > log nt token command =
> > NIS homedir = No
> > registry shares = No
> > usershare allow guests = No
> > usershare max shares = 0
> > usershare owner only = No
> > usershare path =
> > usershare prefix allow list =
> > usershare prefix deny list =
> > usershare template share =
> > allow insecure wide links = No
> > async smb echo handler = No
> > panic action =
> > perfcount module =
> > host msdfs = Yes
> > passdb expand explicit = No
> > idmap backend =
> > idmap cache time = 0
> > idmap negative cache time = 0
> > idmap uid =
> > idmap gid =
> > template homedir = /home/%WORKGROUP%/%ACCOUNTNAME%
> > template shell = /bin/false
> > winbind separator = \
> > winbind cache time = 0
> > winbind reconnect delay = 0
> > winbind request timeout = 0
> > winbind max clients = 0
> > winbind enum users = No
> > winbind enum groups = No
> > winbind use default domain = No
> > winbind trusted domains only = No
> > winbind nested groups = No
> > winbind expand groups = 0
> > winbind nss info =
> > winbind refresh tickets = No
> > winbind offline logon = No
> > winbind normalize names = No
> > winbind rpc only = No
> > create krb5 conf = No
> > ncalrpc dir = /var/run/samba/ncalrpc
> > winbind max domain connections = 0
> > winbindd socket directory = /var/run/samba/winbindd
> > winbindd privileged socket directory =
> >/var/lib/samba/winbindd_privileged
> > winbind sealed pipes = Yes
> > allow dns updates = secure only
> > dns forwarder = 75.75.76.76
> > dns update command = /usr/sbin/samba_dnsupdate
> > nsupdate command = /usr/bin/nsupdate -g
> > rndc command = /usr/sbin/rndc
> > multicast dns register = No
> > samba kcc command = /usr/sbin/samba_kcc
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> >kdc, drepl,
> >winbind, ntp_signd, kcc, dnsupdate, dns
> > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> >netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo,
> >browser, eventlog6,
> >backupkey, dnsserver
> > spn update command = /usr/sbin/samba_spnupdate
> > share backend = classic
> > tls enabled = Yes
> > tls keyfile = tls/key.pem
> > tls certfile = tls/cert.pem
> > tls cafile = tls/ca.pem
> > tls crlfile =
> > tls dh params file =
> > idmap_ldb:use rfc2307 = yes
> > prefork children:smb = 4
> > registry:hkey_users = hku.ldb
> > registry:hkey_local_machine = hklm.ldb
> >
> >[netlogon]
> > path = /var/lib/samba/sysvol/mwllc.info/scripts
> > read only = No
> >
> >[sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >(END)
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list