[Samba] getting NT_STATUS_LOGON_FAILURE

Bob of Donelson Trophy bob at donelsontrophy.net
Fri Jan 9 10:26:22 MST 2015 

 

On 2015-01-09 10:23, Rowland Penny wrote: 

> On 09/01/15 15:47, Bob of Donelson Trophy wrote: 
> 
> On 2015-01-09 09:27, Rowland Penny wrote: 
> 
> On 09/01/15 15:00, Bob of Donelson Trophy wrote:
> On 2015-01-09 08:44, Rowland Penny wrote: W7 client "Preferred DNS server" is set to my DC. My DC looks like this: root at dtdc01:~# cat /etc/resolv.conf search dtshrm.local domain dtshrm.local nameserver 192.168.16.54 root at dtdc01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.16.54 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 208.67.222.222 dns-search dtshrm.local root at dtdc01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.54 dtdc01.dtshrm.lan dtdc01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff
 02::2
ip6-allrouters Should the /etc/resolv.conf be resolving to itself? (I chuckled at you "panic" comment. lol) Fix this first, checking for 'libnss_winbind.so.2' is next on my list for this morning. 
> 
> Firstly, what email client are you using ? it appears to be doing weird things :-)
> 
> Don't bother about libnss_winbind.so.2, you have it, what you don't have is the pam config file that automatically sets pam.
> 
> This is my /etc/resolv.conf from my DC:
> 
> nameserver 127.0.0.1
> search example.lan
> 
> It needs to point to itself and you do not need the domain line. domain & search are mutually exclusive and the last one wins.
> 
> This is my /etc/network/interfaces
> 
> # This file describes the network interfaces available on your system
> # and how to activate them. For more information, see interfaces(5).
> 
> # The loopback network interface
> auto lo
> iface lo inet loopback
> 
> auto eth0
> iface eth0 inet static
> address 192.168.0.2
> netmask 255.255.255.0
> network 192.168.0.0
> broadcast 192.168.0.255
> gateway 192.168.0.1
> 
> I also turn off NetworkManager and stop it from starting at boot.
> 
> When you installed your member server via Louis's script, did you alter this line:
> 
> ENABLEPAMAUTH=0
> 
> Rowland

Email client - Louis' email came back looking weird. Don't know about
that. 

How do I "turn off NetworkManager" in Debian? (I didn't think it was on
a server non-gui install?) 
 Ah, didn't know that, you do not have it running.

> And I have not altered any PAM lines so I have not changes ENABLEPAMAUTH=0 however, where is it so I can go check it?

 It is in Louis's script, line 100 and if you change it to 1 it runs a
block of code starting at line 349, this modifies /etc/pam.d/samba.
 This is not what happens if you install libnss-winbind & libpam-winbind
with the debian samba4 packages, unfortunately you cannot install these
with the sernet packages, but most of the contents of those two packages
are in sernet-samba-libs, except for the pam config file:

 /usr/share/pam-configs/winbind

 Name: Winbind NT/Active Directory authentication
 Default: yes
 Priority: 192
 Auth-Type: Primary
 Auth:
 [success=end default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
 Auth-Initial:
 [success=end default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login
 Account-Type: Primary
 Account:
 [success=end new_authtok_reqd=done default=ignore] pam_winbind.so
 Password-Type: Primary
 Password:
 [success=end default=ignore] pam_winbind.so use_authtok try_first_pass
 Password-Initial:
 [success=end default=ignore] pam_winbind.so
 Session-Type: Additional
 Session:
 optional pam_winbind.so

 You may have to run 'pam-auth-update' and select winbind.

 Rowland

> -- 
> 
> -------------------------
> 
> Bob Wooden of Donelson Trophy
> 
> 615.885.2846 (main)
> www.donelsontrophy.com [1]
> 
> "Everyone deserves an award!!"

Okay, I have resolved my (stupid Windows) "No internet access" issue on
my lone W7 client. 

Moving forward with resolving my "getting NT_STATUS_LOGON_FAILURE"
issue. 

I went to my (modified for me) script and I had "ENABLEPAMAUTH=0" and
"ENABLEPAMSSH=0". Maybe I should simply restore my member server with
'pre-script backup' and re-run the script with these two options enabled
(set to 1)? 

Should I enable both or just the "ENABLEAUTH"? 

Or can we (with your help, I hope) correct this issue? 
-- 

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"
 

Links:
------
[1] http://www.donelsontrophy.com

More information about the samba mailing list