[Samba] NT_STATUS_CONNECTION_REFUSED, again!!!

Fri Feb 27 10:43:03 MST 2015

On 27/02/15 17:28, Bob of Donelson Trophy wrote:
>   
>
> I thought I was over this the other day when I got it to work properly
> on my VM.
>
> Now, on an actual PC I am getting:
>
> ==========Test kerberos ===============================
>
> Lets test some things
>
> Testing : kerberos
>
> Password for Administrator at DTSHRM.DT:
>
> Warning: Your password will expire in 41 days on Fri Apr 10 08:43:58
> 2015
>
> Ticket cache: FILE:/tmp/krb5cc_0
>
> Default principal: Administrator at DTSHRM.DT
>
> Valid starting Expires Service principal
>
> 27/02/2015 07:45 27/02/2015 17:45 krbtgt/DTSHRM.DT at DTSHRM.DT
>
> renew until 28/02/2015 07:45, Etype (skey, tkt):
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>
> ==========SE Privileges ===============================
>
> Enter Administrator's password:
>
> Could not connect to server 127.0.0.1
>
> Connection failed: NT_STATUS_CONNECTION_REFUSED
>
> I snipped some excess<<<<<<<<
>
> Enter Administrator's password:
>
> Could not connect to server 127.0.0.1
>
> Connection failed: NT_STATUS_CONNECTION_REFUSED
>
> Enter Administrator's password:
>
> Successfully granted rights.
>
> Enter Administrator's password:
>
> I snipped some excess<<<<<<<<<<<
>
> Enter Administrator's password:
>
> Successfully granted rights.
>
> ==========Test DNS Records ===============================
>
> Testing : dns entries
>
> testing of : host -t SRV _ldap._tcp.dtshrm.dt. : ok
>
> testing of : host -t SRV _kerberos._udp.dtshrm.dt. : ok
>
> testing of : host -t A dtdc01.dtshrm.dt. : ok
>
> I snipped the ending<<<<<
>
> I have had the chance to try this several times (thanks to backups) and
> each time a different number of failures and then "Successfully granted
> rights."
>
> Generally there are anywhere from 12 to 17 failures across two attempts
> (that I paid close attention too, out of five tries.)
>
> And, because I have two identical computers (one that will become DC1
> and the other DC2) I switched machines, just to make sure it wasn't a
> hardware
>
> issue. It's not!
>
> When I run one of the failed script line manually, I get:
>
> root at dc01:~# echo ${SAMBA_NT_ADMIN_PASS}| net rpc rights grant
> "${SAMBA_NT_DOMAIN}Domain Admins" SeDiskOperatorPrivilege
> -UAdministrator
>
> Enter Administrator's password:
>
> Could not connect to server 127.0.0.1
>
> The username or password was not correct.
>
> Connection failed: NT_STATUS_LOGON_FAILURE
>
> That might have failed because . . . . so, I tried this:
>
> root at dc01:~# net rpc rights grant "${SAMBA_NT_DOMAIN}Domain Admins"
> SeDiskOperatorPrivilege -UAdministrator
>
> Enter Administrator's password:
>
> Failed to grant privileges for Domain Admins (NT_STATUS_NO_SUCH_USER)
>
> So, the script is not creating the "Domain Admins"? Confused, for
> sure!!!!
>

Hi Bob, what have you got in /etc/resolv.conf ?

I also take it that when you ran the lines manually, you replaced the 
variables with the correct info.

The script doesn't create Domain Admins, this is done by the provision, 
run 'wbinfo -g' this should print all your domain groups.

Rowland