[Samba] NT_STATUS_CONNECTION_REFUSED

Wed Jan 27 08:56:58 UTC 2016

Oki doki, so back to what said Rowland: possibly a DNS issue.

You could run a tcpdump on member server when you proceed with kinit.

I use that very simple tcpdump:
tcpdump -i eth0 port domain

which gives me:
09:52:38.700960 IP dc11.domain.tld.59363 > dc11.domain.tld.domain: 57745+
SRV? _kerberos._udp.SAMBA.DOMAIN.TLD. (58)
09:52:38.703335 IP dc11.domain.tld.domain > dc11.domain.tld.59363: 57745*-
6/1/0 SRV dc10.domain.tld.:88 0 100, SRV dc13.domain.tld.:88 0 100, SRV
dc11.domain.tld.:88 0 100, SRV dc14.domain.tld.:88 0 100, SRV
dc12.domain.tld.:88 0 100, SRV dc15.domain.tld.:88 0 100 (372)
09:52:38.703546 IP dc11.domain.tld.41865 > dc11.domain.tld.domain: 44541+
SRV? _kerberos._tcp.SAMBA.DOMAIN.TLD. (58)
09:52:38.705290 IP dc11.domain.tld.domain > dc11.domain.tld.41865: 44541*-
6/1/0 SRV dc13.domain.tld.:88 0 100, SRV dc11.domain.tld.:88 0 100, SRV
dc12.domain.tld.:88 0 100, SRV dc15.domain.tld.:88 0 100, SRV
dc10.domain.tld.:88 0 100, SRV dc14.domain.tld.:88 0 100 (372)
09:52:38.706004 IP dc11.domain.tld.60616 > dc11.domain.tld.domain: 54341+
A? dc10.domain.tld. (48)
09:52:38.707040 IP dc11.domain.tld.domain > dc11.domain.tld.60616: 54341*-
1/1/0 A 10.154.102.164 (78)
09:52:38.711658 IP dc11.domain.tld.51056 > dc11.domain.tld.domain: 2884+
SRV? _kerberos-master._udp.SAMBA.DOMAIN.TLD. (65)
09:52:38.713381 IP dc11.domain.tld.domain > dc11.domain.tld.51056: 2884
NXDomain*- 0/1/0 (117)
09:52:53.481986 IP dc11.domain.tld.51509 > dc11.domain.tld.domain: 50622+
SRV? _kerberos._udp.SAMBA.DOMAIN.TLD. (58)
09:52:53.483709 IP dc11.domain.tld.domain > dc11.domain.tld.51509: 50622*-
6/1/0 SRV dc12.domain.tld.:88 0 100, SRV dc14.domain.tld.:88 0 100, SRV
dc13.domain.tld.:88 0 100, SRV dc15.domain.tld.:88 0 100, SRV
dc11.domain.tld.:88 0 100, SRV dc10.domain.tld.:88 0 100 (372)
09:52:53.483951 IP dc11.domain.tld.36963 > dc11.domain.tld.domain: 36302+
SRV? _kerberos._tcp.SAMBA.DOMAIN.TLD. (58)
09:52:53.485650 IP dc11.domain.tld.domain > dc11.domain.tld.36963: 36302*-
6/1/0 SRV dc12.domain.tld.:88 0 100, SRV dc14.domain.tld.:88 0 100, SRV
dc13.domain.tld.:88 0 100, SRV dc10.domain.tld.:88 0 100, SRV
dc15.domain.tld.:88 0 100, SRV dc11.domain.tld.:88 0 100 (372)
09:52:53.485892 IP dc11.domain.tld.51480 > dc11.domain.tld.domain: 58145+
A? dc12.domain.tld. (48)
09:52:53.486918 IP dc11.domain.tld.domain > dc11.domain.tld.51480: 58145*-
1/1/0 A 10.154.102.166 (83)
09:52:53.495040 IP dc11.domain.tld.34735 > dc11.domain.tld.domain: 28249+
SRV? _kerberos-master._udp.SAMBA.DOMAIN.TLD. (65)
09:52:53.496708 IP dc11.domain.tld.domain > dc11.domain.tld.34735: 28249
NXDomain*- 0/1/0 (117)
09:52:53.497006 IP dc11.domain.tld.54017 > dc11.domain.tld.domain: 52851+
SRV? _kerberos._tcp.SAMBA.DOMAIN.TLD. (58)
09:52:53.498555 IP dc11.domain.tld.domain > dc11.domain.tld.54017: 52851*-
6/1/0 SRV dc15.domain.tld.:88 0 100, SRV dc12.domain.tld.:88 0 100, SRV
dc13.domain.tld.:88 0 100, SRV dc14.domain.tld.:88 0 100, SRV
dc10.domain.tld.:88 0 100, SRV dc11.domain.tld.:88 0 100 (372)
09:52:53.498870 IP dc11.domain.tld.35053 > dc11.domain.tld.domain: 1666+ A?
dc15.domain.tld. (48)
09:52:53.499904 IP dc11.domain.tld.domain > dc11.domain.tld.35053: 1666*-
1/1/0 A 10.154.102.169 (83)
09:52:53.508407 IP dc11.domain.tld.46449 > dc11.domain.tld.domain: 13966+
SRV? _kerberos-master._tcp.SAMBA.DOMAIN.TLD. (65)
09:52:53.510046 IP dc11.domain.tld.domain > dc11.domain.tld.46449: 13966
NXDomain*- 0/1/0 (117)

SRV records have to exist. They are created in Samba with samba_dnsupdate
which is run automatically... sometimes, I don't know what are triggers to
that command.

Hoping this helps...

2016-01-27 8:41 GMT+01:00 Henry McLaughlin <henry at incred.com.au>:

> On 27 January 2016 at 18:09, mathias dufresne <infractory at gmail.com>
> wrote:
>
> > Use the same krb5.conf on members as on DC, no?
> >
> > Tried... same error msg.
>
>
> > 2016-01-27 7:42 GMT+01:00 Henry McLaughlin <henry at incred.com.au>:
> >
> >> On 27 January 2016 at 17:40, mathias dufresne <infractory at gmail.com>
> >> wrote:
> >>
> >> > Hi,
> >> >
> >> > Samba DC generates a krb5.conf into private directory, where the
> >> database
> >> > is hold.
> >> >
> >> > Its content should be that:
> >> > [libdefaults]
> >> >         default_realm = SAMBA.DOMAIN.TLD
> >> >         dns_lookup_realm = false
> >> >         dns_lookup_kdc = true
> >> >
> >> > Should only as I get it from a forgotten test platform where I set
> >> > dns_lookup_realm = true
> >> >
> >> > Cheers,
> >> >
> >> > mathias
> >> >
> >>
> >> Hi Mathias, this is a member server not a DC.
> >>
> >> >
> >> > 2016-01-27 2:03 GMT+01:00 Henry McLaughlin <henry at incred.com.au>:
> >> >
> >> >> On 27 January 2016 at 08:24, Rowland penny <rpenny at samba.org> wrote:
> >> >>
> >> >> > On 26/01/16 20:54, Henry McLaughlin wrote:
> >> >> >
> >> >> >> [root at centos7member ~]# net rpc rights list accounts
> >> >> >> -U'TESTING\administrator'
> >> >> >> Enter TESTING\administrator's password:
> >> >> >> Could not connect to server 127.0.0.1
> >> >> >> Connection failed: NT_STATUS_CONNECTION_REFUSED
> >> >> >> [root at centos7member ~]#
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> > This looks like a dns problem, it is trying to connect to localhost
> >> >> > instead of your DC, check /etc/resolv.conf and /etc/krb5.conf
> >> >> >
> >> >> > Rowland
> >> >> >
> >> >> >
> >> >> > --
> >> >> > To unsubscribe from this list go to the following URL and read the
> >> >> > instructions:  https://lists.samba.org/mailman/options/samba
> >> >> >
> >> >>
> >> >> [root at centos7pdc ~]# cat /etc/resolv.conf
> >> >> search testing.domain.com.au
> >> >> nameserver 192.168.1.10
> >> >>
> >> >> [root at centos7member ~]# cat /etc/krb5.conf
> >> >> [logging]
> >> >>  default = FILE:/var/log/krb5libs.log
> >> >>  kdc = FILE:/var/log/krb5kdc.log
> >> >>  admin_server = FILE:/var/log/kadmind.log
> >> >>
> >> >> [libdefaults]
> >> >>  dns_lookup_realm = false
> >> >>  ticket_lifetime = 24h
> >> >>  renew_lifetime = 7d
> >> >>  forwardable = true
> >> >>  rdns = false
> >> >> # default_realm = EXAMPLE.COM
> >> >>  default_ccache_name = KEYRING:persistent:%{uid}
> >> >>
> >> >> [realms]
> >> >> # EXAMPLE.COM = {
> >> >> #  kdc = kerberos.example.com
> >> >> #  admin_server = kerberos.example.com
> >> >> # }
> >> >>
> >> >> [domain_realm]
> >> >> # .example.com = EXAMPLE.COM
> >> >> # example.com = EXAMPLE.COM
> >> >>
> >> >>
> >> >> Looks like krb5.conf is unconfigured. Is there a Samba guide as to
> how
> >> >> this
> >> >> should be configured or a std template?
> >> >> --
> >> >> To unsubscribe from this list go to the following URL and read the
> >> >> instructions:  https://lists.samba.org/mailman/options/samba
> >> >>
> >> >
> >> >
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>