[Samba] NT_STATUS_CONNECTION_REFUSED, again!!!

Bob of Donelson Trophy bob at donelsontrophy.net
Fri Feb 27 13:58:07 MST 2015


 

At one point, I thought the same. Tried a "sleep 5" and still got some
failures. (That was before I started counting the fails.) This is a P4
3.2Ghz with 1Gb RAM. Could it be that sluggish (at that moment) and need
a "sleep 10" or "sleep 15" or more? It worked on my VM (of course it is
running on a multi-core Xeon processor so maybe a sleep?) I'm going to
try "sleep 30", what the heck!! 

Hold on . . . 

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-02-27 14:52, Rowland Penny wrote: 

> On 27/02/15 20:08, Bob of Donelson Trophy wrote:
> No. What I did was change the first few to see what happens. And still the first 13 (this time, last time 17) failed. I am baffled why the first 11 to 17 fail (randomly) and the remainder receive "Successfully granted rights." --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" On 2015-02-27 13:31, Rowland Penny wrote: On 27/02/15 19:25, Bob of Donelson Trophy wrote: Thanks Rowland but that idea did not work. I will simply grant access to those that failed manually. (Really wish I had kept the VM that the scripthad worked on so I could go back and see what happened but, too late, I have already deleted to save precious hard drive space.) If I have any issues, I'll be back. --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] [1 [1]] "Everyone deserves an award!!" On 2015-02-27 12:22, Rowland Penny wrote: On 27/02/15 18:0
 0, Bob
of Donelson Trophy wrote: Thanks Rowland. Being the novice that I am, I thought the line would 'pickup' my DOMAIN and replace the ${SAMBA_NT_DOMAIN}. So, I just tried the line correctly and it asked for my Administrator password and subsequently granted access. At least I know I can go and correct manually, if I need too. My /etc/resolv.conf is: root at dt01:~# cat /etc/resolv.conf search dts***m.dt nameserver 192.168.16.51 The nameserver is resolving to "itself"

,

> the DC01. (As you know, this is created through the script.) The "wbinfo -g" says that "Domain Admins" is indeed in the groups. --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] [1 [1]] [1 [1]] "Everyone deserves an award!!" On 2015-02-27 11:43, Rowland Penny wrote: On 27/02/15 17:28, Bob of Donelson Trophy wrote: I thought I was over this the other day when I got it to work properly on my VM. Now, on an actual PC I am getting: ==========Test kerberos =============================== Lets test s ome things Testing : kerberos Password for Administrator at DTSHRM.DT: Warning: Your password will expire in 41 days on Fri Apr 10 08:43:58 2015 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator at DTSHRM.DT Valid starting Expires Service principal 27/02/2015 07:45 27/02/2015 17:45 krbtgt/DTSHRM.DT at DTSHRM.DT renew until 28/02/2015 07:45, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 =====
 =====SE
Priv

il

> eges =============================== Enter Administrator's password: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_CONNECTION_REFUSED I snipped some excess<<<<<<<< Enter Administrator's password: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_CONNECTION_REFUSED Enter Administrator's password: Successfully granted rights. En t er Administrator's password: I snipped some excess<<<<<<<<<<< Enter Administrator's password: Successfully granted rights. ==========Test DNS Records =============================== Testing : dns entries testing of : host -t SRV _ldap._tcp.dtshrm.dt. : ok testing of : host -t SRV _kerberos._udp.dtshrm.dt. : ok testing of : host -t A dtdc01.dtshrm.dt. : ok I snipped the ending<<<<< I have had the chance to try this several times (thanks to backups) and each time a different number of failures and then "Successfully granted rights." Generally there are anywhere from 12 to 17 failures across two attempts (that I pa
 id cl

os

> e attention too, out of five tries.) And, because I have two identical computers (one that will become DC1 and the other DC2) I switched machines, just to make sure it wasn't a hardware issue. It's not! When I run one of the failed script line manually, I get: root at dc01:~# echo ${SAMBA_NT_ADMIN_PASS}| net rpc rights grant "${SAMBA_NT_DOMAIN}Domain Admins" SeDiskOperatorPrivilege -UAdministrator Enter Administrator's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE That might have failed because . . . . so, I tried this: root at dc01:~# net rpc rights grant "${SAMBA_NT_DOMAIN}Domain Admins" SeDiskOperatorPrivilege -UAdministrator Enter Administrator's password: Failed to grant privileges for Domain Admins (NT_STATUS_NO_SUCH_USER) So, the script is not creating the "Domain Admins"? Confused, for sure!!!! Hi Bob, what have you got in /etc/resolv.conf ? I also take it that when you ran the lines ma
 nu

al

> ly, you replaced the variables with the correct info. The script doesn't create Domain Admins, this is done by the provision, run 'wbinfo -g' this should print all your domain groups. Rowland Links: ------ [1] http://www.donelsontrophy.com [1] [1 [1]] [1 [1]] OK, I have had a look at Louis's script and the line that is failing is this: echo ${SETNTPASSWD}| net rpc rights grant ${SETNTDOM}"Domain Admins" SeDiskOperatorPrivilege -UAdministrator I 'think' the problem is here ^ If you want to escape a character in bash you use the '' character and I 'think' what is happening is that, instead of escaping the other '' it is actually escaping the double quotes character Try replacing that line with this: echo ${SETNTPASSWD}| net rpc rights grant ${SETNTDOM}Domain Admins SeDiskOperatorPrivilege -UAdministrator Rowland Links: ------ [1] http://www.donelsontrophy.com [1] [1 [1]] I am convinced it is the way that line is formatted, instead of using DOMAINDomain Admins, I think it is u
 sing
DOMAINdomain, so perhaps this would be better: echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}Domain Admins" SeDiskOperatorPrivilege -UAdministrator but as you are now up and running, we will probably never know. Rowland Links: ------ [1] http://www.donelsontrophy.com [1]

Ah, I thought that you were working on a DC, I wonder if it is a timing
thing try placing a 'sleep 1' between the access lines.

Rowland

 

Links:
------
[1] http://www.donelsontrophy.com


More information about the samba mailing list