[Samba] getting NT_STATUS_LOGON_FAILURE

Fri Jan 9 06:04:24 MST 2015

I have been having issues with my W7 client "access is denied" to
changing the security (user permissions) settings and have been posting
regarding that issue yesterday. 

I have discovered that my "ads join member server" is not completely
joined (I think.) 

I discovered a post from February 2014, by Louis "[Samba] member joined,
but . . ." and ran some of his command line test strings and received
similar results. Did some checking before moving forward: 

root at dtmember01:~# net ads testjoin
Join is OK <<<<<<<<<<<< OK? Can't change permissions!
root at dtmember01:~# net rpc rights list
Enter root's password:
Could not connect to server 127.0.0.1 <<<<<< why localhost?
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE <<<<<<< look
root at dtmember01:~# cat /etc/hosts
127.0.0.1 localhost
192.168.16.55 dtmember01.dtshrm.lan dtmember01

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
root at dtmember01:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 192.168.16.55
netmask 255.255.255.0
network 192.168.16.0
broadcast 192.168.16.255
gateway 192.168.16.106
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 208.67.222.222 <<<<<< have always struggled with correct
setting here
dns-search dtshrm.lan 

Do I have anything set incorrectly? 

Then I ran these test string that were listed in the "member joined, but
. . ." thread. 

root at dtmember01:~# net rpc rights list accounts -UadministratorEnter
administrator's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE <<<<< hum-m-m-m!!
root at dtmember01:~# net -S dtmember01 rpc rights list account
-UadministratorEnter administrator's password:
Could not connect to server dtmember01
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE 

root at dtmember01:~# net -S dtmember01.dtshrm.lan rpc rights list accounts
-Uadministrator
Enter administrator's password:
BUILTINPrint Operators
No privileges assigned

BUILTINAccount Operators
No privileges assigned

BUILTINBackup Operators
No privileges assigned

BUILTINServer Operators
No privileges assigned

BUILTINAdministrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege <<<<<<<<<<<< hum-m-m
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege

Everyone
No privileges assigned 

root at dtmember01:~# net rpc rights grant 'DTDC01Domain Admins'
SeDiskOperatorPrivilege -Uadministrator
Enter administrator's password:
Failed to grant privileges for DTDC01Domain Admins
(NT_STATUS_ACCESS_DENIED) 

I tried to sort out the issues Louis was experiencing in his pam setup
and realized that I had run his script against Debian 7.7.0 (newer than
that available in February) and wondered if Debian (this version) pam
files is the cause of the issue I am experiencing. 

Decided to post here and see what anyone thinks? Louis, are you there? 
-- 
-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

Links:
------
[1] http://www.donelsontrophy.com