Web lists-archives.com

Re: [Samba] cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR




Hi,
I've changed /etc/resolv.conf, rebooted, here is the output:

 cat /etc/resolv.conf
domain rona.loc
search rona.loc
nameserver 192.168.19.2

------
smbclient -L $(hostname -f) -UAdministrator%<password> -d5

INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
Processing section "[global]"
doing parameter netbios name = SAMBADC
doing parameter realm = RONA.LOC
doing parameter workgroup = RONA
doing parameter dns forwarder = 192.168.19.1
doing parameter server role = active directory domain controller
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter log level = 5
pm_process() returned Yes
added interface eth0 ip=192.168.19.2 bcast=192.168.19.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="SAMBADC"
Client started (version 4.5.8-Debian).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'RONA.LOC'
no entry for sambadc.rona.loc#20 found.
resolve_hosts: Attempting host lookup for name sambadc.rona.loc<0x20>
namecache_store: storing 1 address for sambadc.rona.loc#20: 192.168.19.2
Connecting to 192.168.19.2 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 2626560
        SO_RCVBUF = 1061808
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        Could not test socket option SO_SNDTIMEO.
        Could not test socket option SO_RCVTIMEO.
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR



--
С уважением, Владимир.

2017-08-10 20:03 GMT+07:00 L.P.H. van Belle via samba <samba@xxxxxxxxxxxxxxx
>:

> Hai,
>
> So after review all posts things again.
>
> This is the AD DC, can you show the output of :
> systemctl status smbd nmbd winbind samba samba-ad-dc
> ( yes, one line )
>
> And. To make sure the right things are enabled.
> Run this: ( this ONLY for a AD AD samba setup)
>
> systemctl disable smbd nmbd winbind samba
> systemctl mask smbd nmbd winbind samba
> systemctl stop smbd nmbd winbind samba
>
> systemctl unmask samba-ad-dc
> systemctl enable samba-ad-dc
>
> You logs shows:
> For example : Kerberos: AS-REQ Administrator@RONA from ipv4:
> 192.168.19.29:49815 for krbtgt/RONA@RONA
>
> And
>  Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
> https://bugzilla.samba.org/show_bug.cgi?id=7605
>
>
> Can you change your resolv.conf to ..
> domain rona.loc
> search rona.loc
> nameserver 192.168.19.2
>
> Yes Rowland, i know... About ... You know, lets not go there.. ( for now
> ;-) )
> but Vladimir, please set this, reboot the server and try again.
>
> Post the result.
> I agree with rowland, only the resolv.conf is different compaired most
> setups.
>
> If the test works,
> Can you change your resolv.conf to ..
> search rona.loc
> nameserver 192.168.19.2
>
> And reboot the server, and try again.
>
> Whats the diffence between Rowland and me..
> I did keep all settings from the debian install.
> ( thats why i have domain and search, no other reason )
>
> Last, i think this is resolving.
> Kerberos: AS-REQ Administrator@RONA should show Kerberos: AS-REQ
> Administrator@xxxxxxxx
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> > Vladimir Frelikh via samba
> > Verzonden: donderdag 10 augustus 2017 14:23
> > Aan: Rowland Penny
> > CC: samba@xxxxxxxxxxxxxxx
> > Onderwerp: Re: [Samba] cannot join windows 7 samba4-ad-dc
> > fresh install, get NT_STATUS_INTERNAL_ERROR
> >
> > Hi,
> > thanks for your participatioin,
> >
> > here's the output:
> >
> > smbclient -L $(hostname -f) -UAdministrator -d3
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows
> > limit (16384)
> > Processing section "[global]"
> > added interface eth0 ip=192.168.19.2 bcast=192.168.19.255
> > netmask=255.255.255.0
> > Client started (version 4.5.8-Debian).
> > Enter Administrator's password:
> > resolve_hosts: Attempting host lookup for name sambadc.rona.loc<0x20>
> > Connecting to 192.168.19.2 at port 445
> > Doing spnego session setup (blob length=96)
> > got OID=1.2.840.48018.1.2.2
> > got OID=1.2.840.113554.1.2.2
> > got OID=1.3.6.1.4.1.311.2.2.10
> > got principal=not_defined_in_RFC4178@please_ignore
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x62898215
> > NTLMSSP: Set final flags:
> > Got NTLMSSP neg_flags=0x62088215
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088215
> > SPNEGO login failed: An internal error occurred.
> > session setup failed: NT_STATUS_INTERNAL_ERROR
> >
> > I could raise the log level if this is not enough
> >
> >
> > --
> > ?? ??????????????????, ????????????????.
> >
> > 2017-08-10 16:26 GMT+07:00 Rowland Penny via samba
> > <samba@xxxxxxxxxxxxxxx>:
> >
> > > On Thu, 10 Aug 2017 08:14:33 +0700
> > > Vladimir Frelikh via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > >
> > > > > >>
> > > > > >> <https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view=
> > > > >
> > att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw>
> > > > > >>
> > > > > >>
> > > > > >> --
> > > > > >> Best regards, Vladimir
> > >
> > > There doesn't seem to be anything really wrong with the
> > conf files you
> > > have posted so far, except (and this is just a nitpick) I would use
> > > 'search' instead of 'domain' in /etc/resolv.conf
> > >
> > > There also doesn't seem to be anything obvious in the log
> > you posted.
> > >
> > > Have you tried asking smbclient to be a bit more verbose ?
> > >
> > > smbclient -L localhost -U% -d3
> > >
> > > Try this and keep raising the last number until something
> > does pop out
> > > (hopefully)
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba