[Samba] getting NT_STATUS_LOGON_FAILURE

Rowland Penny rowlandpenny at googlemail.com
Fri Jan 9 07:44:47 MST 2015 

On 09/01/15 14:34, Bob of Donelson Trophy wrote:
>   
>
> Now, more appropriately answering after the message. SEE BELOW, please.
>
> On 2015-01-09 07:24, L.P.H. van Belle wrote:
>
>> Hai,
>>
>> Not entiraly correct..
>>
>> change :
>>
>>> dns-nameservers 208.67.222.222 <<<<<< have always struggled
>> to
>> dns-search dtshrm.lan
>> dns-nameservers IP_OF_AD_DC
>>
>> and use :
>> net rpc rights grant "YOUR_DOMAINNAMEDomain Admins" SeDiskOperatorPrivilege -UAdministrator -S NAME_OF_MEMBERSERVER
>>
>> Hope this helps you on the way, im out of the office now, going on ski holiday.
>> Back in 9 days.
>>
>> Greetz,
>>
>> Louis
>>
>>> -----Oorspronkelijk bericht----- Van: bob at donelsontrophy.net [mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy Verzonden: vrijdag 9 januari 2015 14:04 Aan: SAMBA MailList Onderwerp: [Samba] getting NT_STATUS_LOGON_FAILURE I have been having issues with my W7 client "access is denied" to changing the security (user permissions) settings and have been posting regarding that issue yesterday. I have discovered that my "ads join member server" is not completely joined (I think.) I discovered a post from February 2014, by Louis "[Samba] member joined, but . . ." and ran some of his command line test strings and received similar results. Did some checking before moving forward: root at dtmember01:~# net ads testjoin Join is OK <<<<<<<<<<<< OK? Can't change permissions! root at dtmember01:~# net rpc rights list Enter root's password: Could not connect to server 127.0.0.1 <<<<<< why localhost? The username or password was not correct. Connection failed: NT_STATUS_LOGON
>   _FAILURE
> <<<<<<< look root at dtmember01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.55 dtmember01.dtshrm.lan dtmember01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters root at dtmember01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.16.55 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 208.67.222.222 <<<<<< have always struggled with correct setting here dns-search dtshrm.lan Do I have anything set incorrectly? Then I ran these test string that were listed in the "member joined, but . . ."
>    thread.
> root at dtmember01:~# net rpc rights list accounts -UadministratorEnter administrator's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE <<<<< hum-m-m-m!! root at dtmember01:~# net -S dtmember01 rpc rights list account -UadministratorEnter administrator's password: Could not connect to server dtmember01 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE root at dtmember01:~# net -S dtmember01.dtshrm.lan rpc rights list accounts -Uadministrator Enter administrator's password: BUILTINPrint Operators No privileges assigned BUILTINAccount Operators No privileges assigned BUILTINBackup Operators No privileges assigned BUILTINServer Operators No privileges assigned BUILTINAdministrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege <<<<<<<<
>   <<<<
> hum-m-m SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege Everyone No privileges assigned root at dtmember01:~# net rpc rights grant 'DTDC01Domain Admins' SeDiskOperatorPrivilege -Uadministrator Enter administrator's password: Failed to grant privileges for DTDC01Domain Admins (NT_STATUS_ACCESS_DENIED) I tried to sort out the issues Louis was experiencing in his pam setup and realized that I had run his script against Debian 7.7.0 (newer than that available in February) and wondered if Debian (this version) pam files is the cause of the issue I am experiencing. Decided to post here and see what anyone thinks? Louis, are you
>   there?
> -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com [1] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba [2]
>
> Rowland,
>
> As you can see Louis is on a holiday. (Enjoy the snow, Louis.)

Yes, I noticed he was going downhill leg-breaking :-D

>
> I changed per his suggestions and have discovered that my lone W7 client
> does not have internet access?
>
> Should the W7 client use the MEMBER server ip address for it's
> "Preferred DNS server" or the address of my DC?

You need to point your clients at the DC, this is running a DNS server 
which should know about ALL machines in AD.

I don't know if you noticed, but somebody else is having similar 
problems, can you check if you have a file 'libnss_winbind.so.2'

Rowland

More information about the samba mailing list