L.P.H. van Belle belle at bazuin.nl
Mon Mar 2 00:48:09 MST 2015

Hai Bob ( and Rowland ), 

Great work here,.. Bob. what was the cpu your useing
Can you post the output of cat /proc/cpuinfo and send it to me. 
I'll try to add something in the script to look for what cpu is being used. 
and i'll add the slowdown in it. 
I'm running on a AMD Opteron 4386, 3.1 Ghz, so thats why it always works for me.
I'll go test this also on a few slow machines. 



>-----Oorspronkelijk bericht-----
>Van: bob at donelsontrophy.net 
>[mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy
>Verzonden: vrijdag 27 februari 2015 22:16
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] SOLVED Re: NT_STATUS_CONNECTION_REFUSED, again!!!
>Well, guess what . . . "sleep 30" might be a long wait but, IT
>WORKED!!!!! I guess speed of the machine might make a difference. 
>(I have noticed that these older machines devices, hard drives, etc.,
>are sleeping and sometimes when I login, I'll think that it 
>has given me
>the 'password' prompt and it hasn't and the login will fail. The second
>login attempt the 'password' prompt "pops up" that much quicker because
>something is no longer sleeping. Crazy user thoughts rambling on for a
>moment . . .) 
>So, "sleep 3" and "sleep 5" I tried . . . I guessing "sleep 15 or 20"
>should be about okay. 
>Thanks Rowland, we got there, again!!! 
>Bob Wooden of Donelson Trophy
>615.885.2846 (main)
>www.donelsontrophy.com [1]
>"Everyone deserves an award!!"
>On 2015-02-27 14:58, Bob of Donelson Trophy wrote: 
>> At one point, I thought the same. Tried a "sleep 5" and 
>still got some
>> failures. (That was before I started counting the fails.) 
>This is a P4
>> 3.2Ghz with 1Gb RAM. Could it be that sluggish (at that 
>moment) and need
>> a "sleep 10" or "sleep 15" or more? It worked on my VM (of 
>course it is
>> running on a multi-core Xeon processor so maybe a sleep?) 
>I'm going to
>> try "sleep 30", what the heck!! 
>> Hold on . . . 
>> ---
>> -------------------------
>> Bob Wooden of Donelson Trophy
>> 615.885.2846 (main)
>> www.donelsontrophy.com [1] [1 [1]]
>> "Everyone deserves an award!!"
>> On 2015-02-27 14:52, Rowland Penny wrote:
>>> On 27/02/15 20:08, Bob of Donelson Trophy wrote: No. What I 
>did was change the first few to see what happens. And still 
>the first 13 (this time, last time 17) failed. I am baffled 
>why the first 11 to 17 fail (randomly) and the remainder 
>receive "Successfully granted rights." --- 
>------------------------- Bob Wooden of Donelson Trophy 
>615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] [1 [1]] 
>"Everyone deserves an award!!" On 2015-02-27 13:31, Rowland 
>Penny wrote: On 27/02/15 19:25, Bob of Donelson Trophy wrote: 
>Thanks Rowland but that idea did not work. I will simply grant 
>access to those that failed manually. (Really wish I had kept 
>the VM that the scripthad worked on so I could go back and see 
>what happened but, too late, I have already deleted to save 
>precious hard drive space.) If I have any issues, I'll be 
>back. --- ------------------------- Bob Wooden of Donelson 
>Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] 
>[1 [1]] [1 [1]] "Everyone deserves an a
> ward!!"
>On 2015-02-27 12:22, Rowland Penny wrote: On 27/02/15 18:0
>> 0, Bob
>> of Donelson Trophy wrote: Thanks Rowland. Being the novice 
>that I am, I thought the line would 'pickup' my DOMAIN and 
>replace the ${SAMBA_NT_DOMAIN}. So, I just tried the line 
>correctly and it asked for my Administrator password and 
>subsequently granted access. At least I know I can go and 
>correct manually, if I need too. My /etc/resolv.conf is: 
>root at dt01:~# cat /etc/resolv.conf search dts***m.dt nameserver 
> The nameserver is resolving to "itself"
>> ,
>>> the DC01. (As you know, this is created through the 
>script.) The "wbinfo -g" says that "Domain Admins" is indeed 
>in the groups. --- ------------------------- Bob Wooden of 
>Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] 
>[1 [1]] [1 [1]] [1 [1]] [1 [1]] "Everyone deserves an award!!" 
>On 2015-02-27 11:43, Rowland Penny wrote: On 27/02/15 17:28, 
>Bob of Donelson Trophy wrote: I thought I was over this the 
>other day when I got it to work properly on my VM. Now, on an 
>actual PC I am getting: ==========Test kerberos 
>=============================== Lets test s ome things Testing 
>: kerberos Password for Administrator at DTSHRM.DT: Warning: Your 
>password will expire in 41 days on Fri Apr 10 08:43:58 2015 
>Ticket cache: FILE:/tmp/krb5cc_0 Default principal: 
>Administrator at DTSHRM.DT Valid starting Expires Service 
>principal 27/02/2015 07:45 27/02/2015 17:45 
>krbtgt/DTSHRM.DT at DTSHRM.DT renew until 28/02/2015 07:45, Etype 
>(skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1
> -96
>> =====SE
>> Priv
>> il
>>> eges =============================== Enter Administrator's 
>password: Could not connect to server Connection 
>failed: NT_STATUS_CONNECTION_REFUSED I snipped some 
>excess<<<<<<<< Enter Administrator's password: Could not 
>connect to server Connection failed: 
>NT_STATUS_CONNECTION_REFUSED Enter Administrator's password: 
>Successfully granted rights. En t er Administrator's password: 
>I snipped some excess<<<<<<<<<<< Enter Administrator's 
>password: Successfully granted rights. ==========Test DNS 
>Records =============================== Testing : dns entries 
>testing of : host -t SRV _ldap._tcp.dtshrm.dt. : ok testing of 
>: host -t SRV _kerberos._udp.dtshrm.dt. : ok testing of : host 
>-t A dtdc01.dtshrm.dt. : ok I snipped the ending<<<<< I have 
>had the chance to try this several times (thanks to backups) 
>and each time a different number of failures and then 
>"Successfully granted rights." Generally there are anywhere 
>from 12 to 17 failures across two attempts (that I p
> a
>> id cl
>> os
>>> e attention too, out of five tries.) And, because I have 
>two identical computers (one that will become DC1 and the 
>other DC2) I switched machines, just to make sure it wasn't a 
>hardware issue. It's not! When I run one of the failed script 
>line manually, I get: root at dc01:~# echo 
>${SAMBA_NT_ADMIN_PASS}| net rpc rights grant 
>"${SAMBA_NT_DOMAIN}Domain Admins" SeDiskOperatorPrivilege 
>-UAdministrator Enter Administrator's password: Could not 
>connect to server The username or password was not 
>correct. Connection failed: NT_STATUS_LOGON_FAILURE That might 
>have failed because . . . . so, I tried this: root at dc01:~# net 
>rpc rights grant "${SAMBA_NT_DOMAIN}Domain Admins" 
>SeDiskOperatorPrivilege -UAdministrator Enter Administrator's 
>password: Failed to grant privileges for Domain Admins 
>(NT_STATUS_NO_SUCH_USER) So, the script is not creating the 
>"Domain Admins"? Confused, for sure!!!! Hi Bob, what have you 
>got in /etc/resolv.conf ? I also take it that when you ran the lines m
> a
>> nu
>> al
>>> ly, you replaced the variables with the correct info. The 
>script doesn't create Domain Admins, this is done by the 
>provision, run 'wbinfo -g' this should print all your domain 
>groups. Rowland Links: ------ [1] 
>http://www.donelsontrophy.com [1] [1 [1]] [1 [1]] [1 [1]] OK, 
>I have had a look at Louis's script and the line that is 
>failing is this: echo ${SETNTPASSWD}| net rpc rights grant 
>${SETNTDOM}"Domain Admins" SeDiskOperatorPrivilege 
>-UAdministrator I 'think' the problem is here ^ If you want to 
>escape a character in bash you use the '' character and I 
>'think' what is happening is that, instead of escaping the 
>other '' it is actually escaping the double quotes character 
>Try replacing that line with this: echo ${SETNTPASSWD}| net 
>rpc rights grant ${SETNTDOM}Domain Admins 
>SeDiskOperatorPrivilege -UAdministrator Rowland Links: ------ 
>[1] http://www.donelsontrophy.com [1] [1 [1]] [1 [1]] I am 
>convinced it is the way that line is formatted, instead of 
>using DOMAINDomain Admins
> , I
>think it is u
>> sing
>> DOMAINdomain, so perhaps this would be better: echo 
>${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}Domain 
>Admins" SeDiskOperatorPrivilege -UAdministrator but as you are 
>now up and running, we will probably never know. Rowland 
>Links: ------ [1] http://www.donelsontrophy.com [1] [1 [1]]
>> Ah, I thought that you were working on a DC, I wonder if it 
>is a timing
>> thing try placing a 'sleep 1' between the access lines.
>> Rowland
>> Links:
>> ------
>> [1] http://www.donelsontrophy.com [1]
>[1] http://www.donelsontrophy.com
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list