[Samba] NT_STATUS_CONNECTION_REFUSED
Rowland penny
rpenny at samba.org
Wed Jan 27 10:45:09 UTC 2016
On 27/01/16 10:07, Henry McLaughlin wrote:
> On 27 January 2016 at 20:27, Rowland penny <rpenny at samba.org> wrote:
>
>> On 27/01/16 01:03, Henry McLaughlin wrote:
>>
>>> On 27 January 2016 at 08:24, Rowland penny <rpenny at samba.org> wrote:
>>>
>>> On 26/01/16 20:54, Henry McLaughlin wrote:
>>>> [root at centos7member ~]# net rpc rights list accounts
>>>>> -U'TESTING\administrator'
>>>>> Enter TESTING\administrator's password:
>>>>> Could not connect to server 127.0.0.1
>>>>> Connection failed: NT_STATUS_CONNECTION_REFUSED
>>>>> [root at centos7member ~]#
>>>>>
>>>>>
>>>>>
>>>>> This looks like a dns problem, it is trying to connect to localhost
>>>> instead of your DC, check /etc/resolv.conf and /etc/krb5.conf
>>>>
>>>> Rowland
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>> [root at centos7pdc ~]# cat /etc/resolv.conf
>>> search testing.domain.com.au
>>> nameserver 192.168.1.10
>>>
>>> [root at centos7member ~]# cat /etc/krb5.conf
>>> [logging]
>>> default = FILE:/var/log/krb5libs.log
>>> kdc = FILE:/var/log/krb5kdc.log
>>> admin_server = FILE:/var/log/kadmind.log
>>>
>>> [libdefaults]
>>> dns_lookup_realm = false
>>> ticket_lifetime = 24h
>>> renew_lifetime = 7d
>>> forwardable = true
>>> rdns = false
>>> # default_realm = EXAMPLE.COM
>>> default_ccache_name = KEYRING:persistent:%{uid}
>>>
>>> [realms]
>>> # EXAMPLE.COM = {
>>> # kdc = kerberos.example.com
>>> # admin_server = kerberos.example.com
>>> # }
>>>
>>> [domain_realm]
>>> # .example.com = EXAMPLE.COM
>>> # example.com = EXAMPLE.COM
>>>
>>>
>>> Looks like krb5.conf is unconfigured. Is there a Samba guide as to how
>>> this
>>> should be configured or a std template?
>>>
>> OK, I missed this before:
>>
>> you have in smb.conf:
>>
>> username map = /etc/samba/user.map
>>
>> with the corresponding user.map
>>
>> !root = TESTING\Administrator TESTING\administrator
>>
>> you also posted:
>>
>> [root at centos7member ~]# getent passwd administrator
>> administrator:*:10500:10513:Administrator:/home/administrator:/sbin/bash
>>
>> You are mapping Administrator to root, but have also given Administrator a
>> uidNumber attribute (10500)
>>
>> I would suggest that you remove the uidNumber attribute (and any other
>> rfc2307 attributes) from Administrators AD object and depend on the mapping
>> instead. I am unsure if this will fix your problem, but it is a good place
>> to start.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
> Hi Rowland, I understood that idmap rid did not need me to assign UIDs &
> GIDs in ADUC as these were auto calculated based upon the sid. Accordingly
> I have assigned NO unix attributes in ADUC.
Quite correct, but you still shouldn't be getting a response from
'getent' for administrator, if run getent on a domain member I get this:
rowland at debnet:~$ getent passwd administrator
rowland at debnet:~$
Whilst on a DC, I get this:
root at dc1:~# getent passwd administrator
SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
root at dc1:~#
As you can see, Administrator has a UID of '0' and this is also the UID
of root.
This is on debian, I think you may have a mis-configuration in PAM.
Rowland
More information about the samba
mailing list