[Samba] NT_STATUS_CONNECTION_REFUSED

Rowland penny rpenny at samba.org
Wed Jan 27 10:45:09 UTC 2016


On 27/01/16 10:07, Henry McLaughlin wrote:
> On 27 January 2016 at 20:27, Rowland penny <rpenny at samba.org> wrote:
>
>> On 27/01/16 01:03, Henry McLaughlin wrote:
>>
>>> On 27 January 2016 at 08:24, Rowland penny <rpenny at samba.org> wrote:
>>>
>>> On 26/01/16 20:54, Henry McLaughlin wrote:
>>>> [root at centos7member ~]# net rpc rights list accounts
>>>>> -U'TESTING\administrator'
>>>>> Enter TESTING\administrator's password:
>>>>> Could not connect to server 127.0.0.1
>>>>> Connection failed: NT_STATUS_CONNECTION_REFUSED
>>>>> [root at centos7member ~]#
>>>>>
>>>>>
>>>>>
>>>>> This looks like a dns problem, it is trying to connect to localhost
>>>> instead of your DC, check /etc/resolv.conf and /etc/krb5.conf
>>>>
>>>> Rowland
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>> [root at centos7pdc ~]# cat /etc/resolv.conf
>>> search testing.domain.com.au
>>> nameserver 192.168.1.10
>>>
>>> [root at centos7member ~]# cat /etc/krb5.conf
>>> [logging]
>>>    default = FILE:/var/log/krb5libs.log
>>>    kdc = FILE:/var/log/krb5kdc.log
>>>    admin_server = FILE:/var/log/kadmind.log
>>>
>>> [libdefaults]
>>>    dns_lookup_realm = false
>>>    ticket_lifetime = 24h
>>>    renew_lifetime = 7d
>>>    forwardable = true
>>>    rdns = false
>>> # default_realm = EXAMPLE.COM
>>>    default_ccache_name = KEYRING:persistent:%{uid}
>>>
>>> [realms]
>>> # EXAMPLE.COM = {
>>> #  kdc = kerberos.example.com
>>> #  admin_server = kerberos.example.com
>>> # }
>>>
>>> [domain_realm]
>>> # .example.com = EXAMPLE.COM
>>> # example.com = EXAMPLE.COM
>>>
>>>
>>> Looks like krb5.conf is unconfigured. Is there a Samba guide as to how
>>> this
>>> should be configured or a std template?
>>>
>> OK, I missed this before:
>>
>> you have in smb.conf:
>>
>>         username map = /etc/samba/user.map
>>
>> with the corresponding user.map
>>
>> !root = TESTING\Administrator TESTING\administrator
>>
>> you also posted:
>>
>> [root at centos7member ~]# getent passwd administrator
>> administrator:*:10500:10513:Administrator:/home/administrator:/sbin/bash
>>
>> You are mapping Administrator to root, but have also given Administrator a
>> uidNumber attribute (10500)
>>
>> I would suggest that you remove the uidNumber attribute (and any other
>> rfc2307 attributes) from Administrators AD object and depend on the mapping
>> instead. I am unsure if this will fix your problem, but it is a good place
>> to start.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> Hi Rowland, I understood that idmap rid did not need me to assign UIDs &
> GIDs in ADUC as these were auto calculated based upon the sid. Accordingly
> I have assigned NO unix attributes in ADUC.

Quite correct, but you still shouldn't be getting a response from 
'getent' for administrator, if run getent on a domain member I get this:

rowland at debnet:~$ getent passwd administrator
rowland at debnet:~$

Whilst on a DC, I get this:

root at dc1:~# getent passwd administrator
SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
root at dc1:~#

As you can see, Administrator has a UID of '0'  and this is also the UID 
of root.

This is on debian, I think you may have a mis-configuration in PAM.

Rowland





More information about the samba mailing list