[Samba] NT_STATUS_CONNECTION_REFUSED, again!!!

Fri Feb 27 13:52:05 MST 2015

On 27/02/15 20:08, Bob of Donelson Trophy wrote:
>   
>
> No.
>
> What I did was change the first few to see what happens. And still the
> first 13 (this time, last time 17) failed. I am baffled why the first 11
> to 17 fail (randomly) and the remainder receive "Successfully granted
> rights."
>
> ---
>
> -------------------------
>
> Bob Wooden of Donelson Trophy
>
> 615.885.2846 (main)
> www.donelsontrophy.com [1]
>
> "Everyone deserves an award!!"
>
> On 2015-02-27 13:31, Rowland Penny wrote:
>
>> On 27/02/15 19:25, Bob of Donelson Trophy wrote:
>> Thanks Rowland but that idea did not work. I will simply grant access to those that failed manually. (Really wish I had kept the VM that the scripthad worked on so I could go back and see what happened but, too late, I have already deleted to save precious hard drive space.) If I have any issues, I'll be back. --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-02-27 12:22, Rowland Penny wrote: On 27/02/15 18:00, Bob of Donelson Trophy wrote: Thanks Rowland. Being the novice that I am, I thought the line would 'pickup' my DOMAIN and replace the ${SAMBA_NT_DOMAIN}. So, I just tried the line correctly and it asked for my Administrator password and subsequently granted access. At least I know I can go and correct manually, if I need too. My /etc/resolv.conf is: root at dt01:~# cat /etc/resolv.conf search dts***m.dt nameserver 192.168.16.51 The nameserver is resolving to "itself",
>    the
> DC01. (As you know, this is created through the script.) The "wbinfo -g" says that "Domain Admins" is indeed in the groups. --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] [1 [1]] "Everyone deserves an award!!" On 2015-02-27 11:43, Rowland Penny wrote: On 27/02/15 17:28, Bob of Donelson Trophy wrote: I thought I was over this the other day when I got it to work properly on my VM. Now, on an actual PC I am getting: ==========Test kerberos =============================== Lets test s ome things Testing : kerberos Password for Administrator at DTSHRM.DT: Warning: Your password will expire in 41 days on Fri Apr 10 08:43:58 2015 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator at DTSHRM.DT Valid starting Expires Service principal 27/02/2015 07:45 27/02/2015 17:45 krbtgt/DTSHRM.DT at DTSHRM.DT renew until 28/02/2015 07:45, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 ==========SE Privil
>   eges
> =============================== Enter Administrator's password: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_CONNECTION_REFUSED I snipped some excess<<<<<<<< Enter Administrator's password: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_CONNECTION_REFUSED Enter Administrator's password: Successfully granted rights. En t er Administrator's password: I snipped some excess<<<<<<<<<<< Enter Administrator's password: Successfully granted rights. ==========Test DNS Records =============================== Testing : dns entries testing of : host -t SRV _ldap._tcp.dtshrm.dt. : ok testing of : host -t SRV _kerberos._udp.dtshrm.dt. : ok testing of : host -t A dtdc01.dtshrm.dt. : ok I snipped the ending<<<<< I have had the chance to try this several times (thanks to backups) and each time a different number of failures and then "Successfully granted rights." Generally there are anywhere from 12 to 17 failures across two attempts (that I paid clos
>   e
> attention too, out of five tries.) And, because I have two identical computers (one that will become DC1 and the other DC2) I switched machines, just to make sure it wasn't a hardware issue. It's not! When I run one of the failed script line manually, I get: root at dc01:~# echo ${SAMBA_NT_ADMIN_PASS}| net rpc rights grant "${SAMBA_NT_DOMAIN}Domain Admins" SeDiskOperatorPrivilege -UAdministrator Enter Administrator's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE That might have failed because . . . . so, I tried this: root at dc01:~# net rpc rights grant "${SAMBA_NT_DOMAIN}Domain Admins" SeDiskOperatorPrivilege -UAdministrator Enter Administrator's password: Failed to grant privileges for Domain Admins (NT_STATUS_NO_SUCH_USER) So, the script is not creating the "Domain Admins"? Confused, for sure!!!! Hi Bob, what have you got in /etc/resolv.conf ? I also take it that when you ran the lines manual
>   ly, you
> replaced the variables with the correct info. The script doesn't create Domain Admins, this is done by the provision, run 'wbinfo -g' this should print all your domain groups. Rowland Links: ------ [1] http://www.donelsontrophy.com [1] [1 [1]]
>   OK, I have had a look at Louis's script and the line that is failing is
> this: echo ${SETNTPASSWD}| net rpc rights grant ${SETNTDOM}"Domain
> Admins" SeDiskOperatorPrivilege -UAdministrator I 'think' the problem is
> here ^ If you want to escape a character in bash you use the ''
> character and I 'think' what is happening is that, instead of escaping
> the other '' it is actually escaping the double quotes character Try
> replacing that line with this: echo ${SETNTPASSWD}| net rpc rights grant
> ${SETNTDOM}Domain Admins SeDiskOperatorPrivilege -UAdministrator Rowland
> Links: ------ [1] http://www.donelsontrophy.com [1]
>
> I am convinced it is the way that line is formatted, instead of using
> DOMAINDomain Admins, I think it is using DOMAINdomain, so perhaps this
> would be better:
>
> echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins"
> SeDiskOperatorPrivilege -UAdministrator
>
> but as you are now up and running, we will probably never know.
>
> Rowland
>
>   
>
> Links:
> ------
> [1] http://www.donelsontrophy.com

Ah, I thought that you were working on a DC, I wonder if it is a timing 
thing try placing a 'sleep 1' between the access lines.

Rowland