Web lists-archives.com

[Samba] Fwd: Samba AD DC not working properly within Docker [NT_STATUS_INTERNAL_ERROR]




Hi,

I am isolating many server services through Docker. I am using the
macvlan driver for this with a dedicated Docker server VLAN. I have
provisioned a new Samba AD domain in a docker container, the required
services are running but SMB clients cannot connect (RPC error).

First of all, these are the Samba versions I have tried:

- Samba 4.5.12 with Debian stable
- Samba 4.7.4 with Debian testing

I have Kerberos working (even from the outside network) and DNS is
working as well. But whenever I try to list the DC's shares with
smbclient I am getting an error. This even applies inside the Docker
container for the AD DC, so the issue is not related to a wrong
networking configuration or port mapping (which does not apply to
macvlan anyway).

This is how this can be reproduced within a docker container:

docker pull jgoerzen/debian-base-security
docker run -d --privileged --name samba-ad-dc-test --hostname
sambatest --network vlan_server jgoerzen/debian-base-security
docker exec -i -t samba-ad-dc-test /bin/bash

// Note: The issue is not related to "macvlan". It also happens with
Docker's default "bridge" network

# apt-get update && apt-get install -y samba smbclient
# samba-tool domain provision --use-rfc2307 --domain=TEST --realm=test.lan
# service samba start

-> Now the Samba DC is actually up and running. When using 127.0.0.1
as a name server within the container even all SRV records are in
place and Kerberos is working (even from outside). Now the issue is
that smbclient is not working, not even within the container. I cannot
get any debug output from running "samba" in interactive mode, but
this is what smbclient gives me:

root@sambatest:~# smbclient -L localhost -U% -d5
INFO: Current debug levels:
 all: 5
 tdb: 5
 printdrivers: 5
 lanman: 5
 smb: 5
 rpc_parse: 5
 rpc_srv: 5
 rpc_cli: 5
 passdb: 5
 sam: 5
 auth: 5
 winbind: 5
 vfs: 5
 idmap: 5
 quota: 5
 acls: 5
 locking: 5
 msdfs: 5
 dmapi: 5
 registry: 5
 scavenger: 5
 dns: 5
 ldb: 5
 tevent: 5
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
 all: 5
 tdb: 5
 printdrivers: 5
 lanman: 5
 smb: 5
 rpc_parse: 5
 rpc_srv: 5
 rpc_cli: 5
 passdb: 5
 sam: 5
 auth: 5
 winbind: 5
 vfs: 5
 idmap: 5
 quota: 5
 acls: 5
 locking: 5
 msdfs: 5
 dmapi: 5
 registry: 5
 scavenger: 5
 dns: 5
 ldb: 5
 tevent: 5
Processing section "[global]"
doing parameter netbios name = SAMBATEST
doing parameter realm = TEST.LAN
doing parameter workgroup = TEST
doing parameter dns forwarder = 127.0.0.11
doing parameter server role = active directory domain controller
doing parameter idmap_ldb:use rfc2307 = yes
pm_process() returned Yes
added interface eth0 ip=192.168.200.33 bcast=192.168.200.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="SAMBATEST"
Client started (version 4.5.12-Debian).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'TEST.LAN'
name localhost#20 found.
Connecting to 127.0.0.1 at port 445
Socket options:
       SO_KEEPALIVE = 0
       SO_REUSEADDR = 0
       SO_BROADCAST = 0
       TCP_NODELAY = 1
       TCP_KEEPCNT = 9
       TCP_KEEPIDLE = 7200
       TCP_KEEPINTVL = 75
       IPTOS_LOWDELAY = 0
       IPTOS_THROUGHPUT = 0
       SO_REUSEPORT = 0
       SO_SNDBUF = 2626560
       SO_RCVBUF = 1061808
       SO_SNDLOWAT = 1
       SO_RCVLOWAT = 1
       SO_SNDTIMEO = 0
       SO_RCVTIMEO = 0
       TCP_QUICKACK = 1
       TCP_DEFER_ACCEPT = 0
session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
 NTLMSSP_NEGOTIATE_UNICODE
 NTLMSSP_REQUEST_TARGET
 NTLMSSP_NEGOTIATE_SIGN
 NTLMSSP_NEGOTIATE_NTLM
 NTLMSSP_NEGOTIATE_ALWAYS_SIGN
 NTLMSSP_TARGET_TYPE_DOMAIN
 NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
 NTLMSSP_NEGOTIATE_TARGET_INFO
 NTLMSSP_NEGOTIATE_VERSION
 NTLMSSP_NEGOTIATE_128
 NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62008a15
 NTLMSSP_NEGOTIATE_UNICODE
 NTLMSSP_REQUEST_TARGET
 NTLMSSP_NEGOTIATE_SIGN
 NTLMSSP_NEGOTIATE_NTLM
 NTLMSSP_ANONYMOUS
 NTLMSSP_NEGOTIATE_ALWAYS_SIGN
 NTLMSSP_NEGOTIATE_VERSION
 NTLMSSP_NEGOTIATE_128
 NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62008a15
 NTLMSSP_NEGOTIATE_UNICODE
 NTLMSSP_REQUEST_TARGET
 NTLMSSP_NEGOTIATE_SIGN
 NTLMSSP_NEGOTIATE_NTLM
 NTLMSSP_ANONYMOUS
 NTLMSSP_NEGOTIATE_ALWAYS_SIGN
 NTLMSSP_NEGOTIATE_VERSION
 NTLMSSP_NEGOTIATE_128
 NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - using NTLM1
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR


Any ideas?



Thanks,
 Fred

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba