NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Samba - General mailing list
Hi,

I have a samba 4.5.8 AD DC (debian 9.1 package) which is having problems
with RPC requests. This DC has been updated from the wheezy-backports
package (4.1.17) via the jessie package (4.2.14) but I'm not sure if RPC
worked immediately before the upgrade either since most of the time it
only serves LDAP and krb5.

Connecting using RSAT from windows gives "RPC Server Unavailable" message.

To try and isolate the problem I firewalled traffic from all but one
host and attempted to connect using rpcclient. From this I see
NT_STATUS_INTERNAL_ERROR

Attached are files containing the output from rpcclient, the logs from
samba and smbd and the smb.conf from the client and the AD DC. The logs
are all at log level 3 but I can re-generate them at a higher debug
level if someone thinks this may be helpful.

The internal error seems to be shown in the smbd log but there's nothing
which really indicates (to me) what might have gone wrong to cause it.

Anyone have any ideas?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

log.smbd (10K) Download Attachment
log.samba (15K) Download Attachment
log.rpcclient (2K) Download Attachment
rpcclient.smb.conf (356 bytes) Download Attachment
dc.smb.conf (944 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Samba - General mailing list
To try and narrow down this issue I tried to setup a test environment
using two fresh install Debian 9.2 VMs, now running samba 4.5.12 since
it was updated in Debian.

I provisioned a new domain using `samba-tool domain provision` on the
first VM, let it generate the smb.conf itself, and configured it using
the BIND9_DLZ DNS backend.

I tried to join the domain using a second Debian 9.2 VM using `net ads
join -UAdministrator` after setting the DNS resolver to be the test DC
and synchronising with NTP on the DC. This failed with the error:

"Failed to join domain: failed to lookup DC info for domain
'ADS.TEST.LOCAL' over rpc: An internal error occurred."

Finally, I tried to connect to RPC on the DC using `rpcclient` which
failed, as before, with NT_STATUS_INTERNAL_ERROR.

Is there some inherent problem with the Debian packages and the RPC
server component of the DC? Alternatively, is there somewhere else I
should be looking for the root cause of this?

Regards,

Richard


On 04/10/2017 22:14, Richard Connon wrote:

> Hi,
>
> I have a samba 4.5.8 AD DC (debian 9.1 package) which is having
> problems with RPC requests. This DC has been updated from the
> wheezy-backports package (4.1.17) via the jessie package (4.2.14) but
> I'm not sure if RPC worked immediately before the upgrade either since
> most of the time it only serves LDAP and krb5.
>
> Connecting using RSAT from windows gives "RPC Server Unavailable"
> message.
>
> To try and isolate the problem I firewalled traffic from all but one
> host and attempted to connect using rpcclient. From this I see
> NT_STATUS_INTERNAL_ERROR
>
> Attached are files containing the output from rpcclient, the logs from
> samba and smbd and the smb.conf from the client and the AD DC. The
> logs are all at log level 3 but I can re-generate them at a higher
> debug level if someone thinks this may be helpful.
>
> The internal error seems to be shown in the smbd log but there's
> nothing which really indicates (to me) what might have gone wrong to
> cause it.
>
> Anyone have any ideas?
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Samba - General mailing list
On Mon, 16 Oct 2017 17:01:29 +0100
Richard Connon via samba <[hidden email]> wrote:

> To try and narrow down this issue I tried to setup a test environment
> using two fresh install Debian 9.2 VMs, now running samba 4.5.12
> since it was updated in Debian.
>
> I provisioned a new domain using `samba-tool domain provision` on the
> first VM, let it generate the smb.conf itself, and configured it
> using the BIND9_DLZ DNS backend.
>
> I tried to join the domain using a second Debian 9.2 VM using `net
> ads join -UAdministrator` after setting the DNS resolver to be the
> test DC and synchronising with NTP on the DC. This failed with the
> error:
>
> "Failed to join domain: failed to lookup DC info for domain
> 'ADS.TEST.LOCAL' over rpc: An internal error occurred."
>
> Finally, I tried to connect to RPC on the DC using `rpcclient` which
> failed, as before, with NT_STATUS_INTERNAL_ERROR.
>
> Is there some inherent problem with the Debian packages and the RPC
> server component of the DC? Alternatively, is there somewhere else I
> should be looking for the root cause of this?
>

This isn't a known problem with the debian packages, it should work.

Can you post the provision command you used on the DC.

I know you posted the smb.conf from a DC before, but can you post it
again.

Can you post the following files:
/etc/resolv.conf
/etc/hostname
/etc/hosts
/etc/krb5.conf

From both the DC and the domain member

The named.conf files from the DC

and finally the smb.conf from the domain member.

Rowland




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Samba - General mailing list
Hi,

I've attached tarballs with the requested files for each of my test DC
and member.

The domain was provisioned with the exact command: `samba-tool domain
provision` selecting BIND9_DLZ and specifying the realm and workgroup as
seen in the smb.conf files.

Regards,

Richard


On 16/10/2017 17:26, Rowland Penny via samba wrote:

> On Mon, 16 Oct 2017 17:01:29 +0100
> Richard Connon via samba <[hidden email]> wrote:
>
>> To try and narrow down this issue I tried to setup a test environment
>> using two fresh install Debian 9.2 VMs, now running samba 4.5.12
>> since it was updated in Debian.
>>
>> I provisioned a new domain using `samba-tool domain provision` on the
>> first VM, let it generate the smb.conf itself, and configured it
>> using the BIND9_DLZ DNS backend.
>>
>> I tried to join the domain using a second Debian 9.2 VM using `net
>> ads join -UAdministrator` after setting the DNS resolver to be the
>> test DC and synchronising with NTP on the DC. This failed with the
>> error:
>>
>> "Failed to join domain: failed to lookup DC info for domain
>> 'ADS.TEST.LOCAL' over rpc: An internal error occurred."
>>
>> Finally, I tried to connect to RPC on the DC using `rpcclient` which
>> failed, as before, with NT_STATUS_INTERNAL_ERROR.
>>
>> Is there some inherent problem with the Debian packages and the RPC
>> server component of the DC? Alternatively, is there somewhere else I
>> should be looking for the root cause of this?
>>
> This isn't a known problem with the debian packages, it should work.
>
> Can you post the provision command you used on the DC.
>
> I know you posted the smb.conf from a DC before, but can you post it
> again.
>
> Can you post the following files:
> /etc/resolv.conf
> /etc/hostname
> /etc/hosts
> /etc/krb5.conf
>
>  From both the DC and the domain member
>
> The named.conf files from the DC
>
> and finally the smb.conf from the domain member.
>
> Rowland
>
>
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Samba - General mailing list
On Mon, 16 Oct 2017 17:58:04 +0100
Richard Connon via samba <[hidden email]> wrote:

> Hi,
>
> I've attached tarballs with the requested files for each of my test
> DC and member.
>
> The domain was provisioned with the exact command: `samba-tool domain
> provision` selecting BIND9_DLZ and specifying the realm and workgroup
> as seen in the smb.conf files.
>
> Regards,
>
> Richard
>
>
> On 16/10/2017 17:26, Rowland Penny via samba wrote:
> > On Mon, 16 Oct 2017 17:01:29 +0100
> > Richard Connon via samba <[hidden email]> wrote:
> >
> >> To try and narrow down this issue I tried to setup a test
> >> environment using two fresh install Debian 9.2 VMs, now running
> >> samba 4.5.12 since it was updated in Debian.
> >>
> >> I provisioned a new domain using `samba-tool domain provision` on
> >> the first VM, let it generate the smb.conf itself, and configured
> >> it using the BIND9_DLZ DNS backend.
> >>
> >> I tried to join the domain using a second Debian 9.2 VM using `net
> >> ads join -UAdministrator` after setting the DNS resolver to be the
> >> test DC and synchronising with NTP on the DC. This failed with the
> >> error:
> >>
> >> "Failed to join domain: failed to lookup DC info for domain
> >> 'ADS.TEST.LOCAL' over rpc: An internal error occurred."
> >>
> >> Finally, I tried to connect to RPC on the DC using `rpcclient`
> >> which failed, as before, with NT_STATUS_INTERNAL_ERROR.
> >>
> >> Is there some inherent problem with the Debian packages and the RPC
> >> server component of the DC? Alternatively, is there somewhere else
> >> I should be looking for the root cause of this?
> >>
> > This isn't a known problem with the debian packages, it should work.
> >
> > Can you post the provision command you used on the DC.
> >
> > I know you posted the smb.conf from a DC before, but can you post it
> > again.
> >
> > Can you post the following files:
> > /etc/resolv.conf
> > /etc/hostname
> > /etc/hosts
> > /etc/krb5.conf
> >
> >  From both the DC and the domain member
> >
> > The named.conf files from the DC
> >
> > and finally the smb.conf from the domain member.
> >
> > Rowland
> >
> >
> >
> >
>

The mailing list has stripped of the attachments, do you want to send
them directly to me ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Samba - General mailing list
In reply to this post by Samba - General mailing list
yes, this should work fine but this is something in your setup.
can you try this


kinit Administrator
net 
 ads join -k -s fqdn-dc1.dom.tld


if kinit fails, then Rowland wil find your error..  
ive seen this few times.. -S  solves it most of the times.




Greetz,


Louis
(mobile)





Op 16 okt. 2017 om 18:27 heeft Rowland Penny via samba <[hidden email]> het volgende geschreven:


On Mon, 16 Oct 2017 17:01:29 +0100
Richard Connon via samba <[hidden email]> wrote:

To try and narrow down this issue I tried to setup a test environment
using two fresh install Debian 9.2 VMs, now running samba 4.5.12
since it was updated in Debian.

I provisioned a new domain using `samba-tool domain provision` on the
first VM, let it generate the smb.conf itself, and configured it
using the BIND9_DLZ DNS backend.

I tried to join the domain using a second Debian 9.2 VM using `net
ads join -UAdministrator` after setting the DNS resolver to be the
test DC and synchronising with NTP on the DC. This failed with the
error:

"Failed to join domain: failed to lookup DC info for domain
'ADS.TEST.LOCAL' over rpc: An internal error occurred."

Finally, I tried to connect to RPC on the DC using `rpcclient` which
failed, as before, with NT_STATUS_INTERNAL_ERROR.

Is there some inherent problem with the Debian packages and the RPC
server component of the DC? Alternatively, is there somewhere else I
should be looking for the root cause of this?


This isn't a known problem with the debian packages, it should work.

Can you post the provision command you used on the DC.

I know you posted the smb.conf from a DC before, but can you post it
again.

Can you post the following files:
/etc/resolv.conf
/etc/hostname
/etc/hosts
/etc/krb5.conf

From both the DC and the domain member

The named.conf files from the DC

and finally the smb.conf from the domain member.

Rowland




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Samba - General mailing list
Hi,

I provided the dump of all the conf files to Rowland by email but in
case anyone else is curious they are also here:

http://www.irconan.co.uk/dc.tar http://www.irconan.co.uk/member.tar

I tried providing -S to the join command which didn't change the
behaviour. It doesn't seem to have trouble finding the DC, only when
connecting to the RPC server.

Cheers,

Richard


On 16/10/2017 18:13, L.P.H. van Belle via samba wrote:

> yes, this should work fine but this is something in your setup.
> can you try this
>
>
> kinit Administrator
> net
>   ads join -k -s fqdn-dc1.dom.tld
>
>
> if kinit fails, then Rowland wil find your error..
> ive seen this few times.. -S  solves it most of the times.
>
>
>
>
> Greetz,
>
>
> Louis
> (mobile)
>
>
>
>
>
> Op 16 okt. 2017 om 18:27 heeft Rowland Penny via samba <[hidden email]> het volgende geschreven:
>
>
> On Mon, 16 Oct 2017 17:01:29 +0100
> Richard Connon via samba <[hidden email]> wrote:
>
> To try and narrow down this issue I tried to setup a test environment
> using two fresh install Debian 9.2 VMs, now running samba 4.5.12
> since it was updated in Debian.
>
> I provisioned a new domain using `samba-tool domain provision` on the
> first VM, let it generate the smb.conf itself, and configured it
> using the BIND9_DLZ DNS backend.
>
> I tried to join the domain using a second Debian 9.2 VM using `net
> ads join -UAdministrator` after setting the DNS resolver to be the
> test DC and synchronising with NTP on the DC. This failed with the
> error:
>
> "Failed to join domain: failed to lookup DC info for domain
> 'ADS.TEST.LOCAL' over rpc: An internal error occurred."
>
> Finally, I tried to connect to RPC on the DC using `rpcclient` which
> failed, as before, with NT_STATUS_INTERNAL_ERROR.
>
> Is there some inherent problem with the Debian packages and the RPC
> server component of the DC? Alternatively, is there somewhere else I
> should be looking for the root cause of this?
>
>
> This isn't a known problem with the debian packages, it should work.
>
> Can you post the provision command you used on the DC.
>
> I know you posted the smb.conf from a DC before, but can you post it
> again.
>
> Can you post the following files:
> /etc/resolv.conf
> /etc/hostname
> /etc/hosts
> /etc/krb5.conf
>
>  From both the DC and the domain member
>
> The named.conf files from the DC
>
> and finally the smb.conf from the domain member.
>
> Rowland
>
>
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Samba - General mailing list
On Mon, 16 Oct 2017 19:06:20 +0100
Richard Connon via samba <[hidden email]> wrote:

> Hi,
>
> I provided the dump of all the conf files to Rowland by email but in
> case anyone else is curious they are also here:
>
> http://www.irconan.co.uk/dc.tar http://www.irconan.co.uk/member.tar
>

I didn't get it, so I downloaded it ;-)

Is the member server using DHCP ?

Is '10.0.2.15' the ipaddress of the DC ?

You haven't got 'security = ADS' in your smb.conf.

You have 'unix password sync = yes' in smb.conf,
Do you have Unix users that are also in AD ?

And finally the biggy, are you using sssd ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 16 Oct 2017 18:56:18 +0100
Richard Connon <[hidden email]> wrote:

> Re-attached.

You are missing:

tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

From /etc/bind/named.conf.options

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 16/10/2017 19:30, Rowland Penny wrote:

> On Mon, 16 Oct 2017 19:06:20 +0100
> Richard Connon via samba <[hidden email]> wrote:
>
>> Hi,
>>
>> I provided the dump of all the conf files to Rowland by email but in
>> case anyone else is curious they are also here:
>>
>> http://www.irconan.co.uk/dc.tar http://www.irconan.co.uk/member.tar
>>
> I didn't get it, so I downloaded it ;-)
>
> Is the member server using DHCP ?
Yes. Both test hosts are using DHCP with static leases for IP addresses
but not for DNS domains or nameservers.
> Is '10.0.2.15' the ipaddress of the DC ?
Yes
> You haven't got 'security = ADS' in your smb.conf.
Assuming you mean on the member, good point, but it doesn't change this
behaviour. My understanding was this only affected smbd anyway, which
I'm not running on the member.
> You have 'unix password sync = yes' in smb.conf,
> Do you have Unix users that are also in AD ?
No, this is just a default smb.conf from debian. I assume this wouldn't
actually have any affect on a member server where there is no local
passdb anyway and again, removing it has no affect.
> And finally the biggy, are you using sssd ?
No, these test hosts are very basic debian installs I've done to attempt
to isolate this problem, although my "production" installs use SSSD.
> Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Samba - General mailing list
On Tue, 17 Oct 2017 09:29:00 +0100
Richard Connon via samba <[hidden email]> wrote:

> On 16/10/2017 19:30, Rowland Penny wrote:
> >
> > Is the member server using DHCP ?
> Yes. Both test hosts are using DHCP with static leases for IP
> addresses but not for DNS domains or nameservers.

I wouldn't do this, I would give the DC a fixed ipaddress.

> > Is '10.0.2.15' the ipaddress of the DC ?
> Yes
> > You haven't got 'security = ADS' in your smb.conf.
> Assuming you mean on the member, good point, but it doesn't change
> this behaviour. My understanding was this only affected smbd anyway,
> which I'm not running on the member.

You need it

> > You have 'unix password sync = yes' in smb.conf,
> > Do you have Unix users that are also in AD ?
> No, this is just a default smb.conf from debian. I assume this
> wouldn't actually have any affect on a member server where there is
> no local passdb anyway and again, removing it has no affect.

It wouldn't help.

> > And finally the biggy, are you using sssd ?
> No, these test hosts are very basic debian installs I've done to
> attempt to isolate this problem, although my "production" installs
> use SSSD.

Then it is never going to work, you have not set up winbind at all.

Can I suggest you go and read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

I suggest you follow it and use the 'rid' backend.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Samba - General mailing list


On 17/10/2017 09:54, Rowland Penny via samba wrote:
> On Tue, 17 Oct 2017 09:29:00 +0100
> Richard Connon via samba <[hidden email]> wrote:
>
>> On 16/10/2017 19:30, Rowland Penny wrote:
>>> Is the member server using DHCP ?
>> Yes. Both test hosts are using DHCP with static leases for IP
>> addresses but not for DNS domains or nameservers.
> I wouldn't do this, I would give the DC a fixed ipaddress.
In my production environment my DC(s) have fixed IP addresses, the use
of DHCP is only in my lab environment. Do you see a problem with doing
this as long as the IPs don't change during testing? (they are static
leases)
>>> Is '10.0.2.15' the ipaddress of the DC ?
>> Yes
>>> You haven't got 'security = ADS' in your smb.conf.
>> Assuming you mean on the member, good point, but it doesn't change
>> this behaviour. My understanding was this only affected smbd anyway,
>> which I'm not running on the member.
> You need it
OK. I've set it now and see no change in behaviour.
>>> You have 'unix password sync = yes' in smb.conf,
>>> Do you have Unix users that are also in AD ?
>> No, this is just a default smb.conf from debian. I assume this
>> wouldn't actually have any affect on a member server where there is
>> no local passdb anyway and again, removing it has no affect.
> It wouldn't help.
I've removed this now and see no change in behaviour.

> And finally the biggy, are you using sssd ?
>> No, these test hosts are very basic debian installs I've done to
>> attempt to isolate this problem, although my "production" installs
>> use SSSD.
> Then it is never going to work, you have not set up winbind at all.
>
> Can I suggest you go and read this:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> I suggest you follow it and use the 'rid' backend.
Again, this is a production/lab difference. I didn't setup SSSD in the
lab to reduce the complexity. I'm simply trying to get the actual join
process working. I will follow through that wiki anyway to check there's
nothing I've missed though.
> Rowland
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Samba - General mailing list


On 17/10/2017 13:18, Richard Connon via samba wrote:

>
>
> On 17/10/2017 09:54, Rowland Penny via samba wrote:
>> On Tue, 17 Oct 2017 09:29:00 +0100
>> Richard Connon via samba <[hidden email]> wrote:
>>
>>> On 16/10/2017 19:30, Rowland Penny wrote:
>>>> Is the member server using DHCP ?
>>> Yes. Both test hosts are using DHCP with static leases for IP
>>> addresses but not for DNS domains or nameservers.
>> I wouldn't do this, I would give the DC a fixed ipaddress.
> In my production environment my DC(s) have fixed IP addresses, the use
> of DHCP is only in my lab environment. Do you see a problem with doing
> this as long as the IPs don't change during testing? (they are static
> leases)
>>>> Is '10.0.2.15' the ipaddress of the DC ?
>>> Yes
>>>> You haven't got 'security = ADS' in your smb.conf.
>>> Assuming you mean on the member, good point, but it doesn't change
>>> this behaviour. My understanding was this only affected smbd anyway,
>>> which I'm not running on the member.
>> You need it
> OK. I've set it now and see no change in behaviour.
>>>> You have 'unix password sync = yes' in smb.conf,
>>>> Do you have Unix users that are also in AD ?
>>> No, this is just a default smb.conf from debian. I assume this
>>> wouldn't actually have any affect on a member server where there is
>>> no local passdb anyway and again, removing it has no affect.
>> It wouldn't help.
> I've removed this now and see no change in behaviour.
>> And finally the biggy, are you using sssd ?
>>> No, these test hosts are very basic debian installs I've done to
>>> attempt to isolate this problem, although my "production" installs
>>> use SSSD.
>> Then it is never going to work, you have not set up winbind at all.
>>
>> Can I suggest you go and read this:
>>
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>
>> I suggest you follow it and use the 'rid' backend.
> Again, this is a production/lab difference. I didn't setup SSSD in the
> lab to reduce the complexity. I'm simply trying to get the actual join
> process working. I will follow through that wiki anyway to check
> there's nothing I've missed though.
>> Rowland
>>
>
>
Further to the above... I ran through the linked wiki. The only
difference between the described process and my test environment at the
moment is the smb.conf on the member. I've replaced the member's
smb.conf with the following:

[global]
    security = ads
    workgroup = TEST
    realm = ADS.TEST.LOCAL

    log level = /var/log/samba/log.%m
    log level = 1

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

    idmap config TEST : backend = rid
    idmap config TEST : range = 10000-999999

Unfortunately the behaviour when I attempt the domain join (with and
without -S) is still the same.
I see the error:

# net ads join -k -S dc.ads.test.local
Failed to join domain: failed to lookup DC info for domain
'ADS.TEST.LOCAL' over rpc: An internal error occured.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 17 Oct 2017 13:18:46 +0100
Richard Connon via samba <[hidden email]> wrote:

>
>
> On 17/10/2017 09:54, Rowland Penny via samba wrote:
> > On Tue, 17 Oct 2017 09:29:00 +0100
> > Richard Connon via samba <[hidden email]> wrote:
> >
> >> On 16/10/2017 19:30, Rowland Penny wrote:
> >>> Is the member server using DHCP ?
> >> Yes. Both test hosts are using DHCP with static leases for IP
> >> addresses but not for DNS domains or nameservers.
> > I wouldn't do this, I would give the DC a fixed ipaddress.
> In my production environment my DC(s) have fixed IP addresses, the
> use of DHCP is only in my lab environment. Do you see a problem with
> doing this as long as the IPs don't change during testing? (they are
> static leases)
> >>> Is '10.0.2.15' the ipaddress of the DC ?
> >> Yes
> >>> You haven't got 'security = ADS' in your smb.conf.
> >> Assuming you mean on the member, good point, but it doesn't change
> >> this behaviour. My understanding was this only affected smbd
> >> anyway, which I'm not running on the member.
> > You need it
> OK. I've set it now and see no change in behaviour.
> >>> You have 'unix password sync = yes' in smb.conf,
> >>> Do you have Unix users that are also in AD ?
> >> No, this is just a default smb.conf from debian. I assume this
> >> wouldn't actually have any affect on a member server where there is
> >> no local passdb anyway and again, removing it has no affect.
> > It wouldn't help.
> I've removed this now and see no change in behaviour.
> > And finally the biggy, are you using sssd ?
> >> No, these test hosts are very basic debian installs I've done to
> >> attempt to isolate this problem, although my "production" installs
> >> use SSSD.
> > Then it is never going to work, you have not set up winbind at all.
> >
> > Can I suggest you go and read this:
> >
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >
> > I suggest you follow it and use the 'rid' backend.
> Again, this is a production/lab difference. I didn't setup SSSD in
> the lab to reduce the complexity. I'm simply trying to get the actual
> join process working. I will follow through that wiki anyway to check
> there's nothing I've missed though.
> > Rowland
> >

Try this smb.conf on the domain member:

[global]
    workgroup = TEST
    security = ADS
    realm = ADS.TEST.LOCAL

    winbind use default domain = yes
    winbind expand groups = 4
    winbind refresh tickets = Yes
    winbind offline logon = yes

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    idmap config TEST : backend = rid
    idmap config TEST : range = 10000-999999
    template shell = /bin/bash
    template homedir = /home/%U

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

If 'net ads join -U Administrator' doesn't work, then you need to look
elsewhere, is a firewall in the way, is Apparmor running and getting in
the way

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Samba - General mailing list
On 17/10/2017 13:56, Rowland Penny via samba wrote:

> On Tue, 17 Oct 2017 13:18:46 +0100
> Richard Connon via samba <[hidden email]> wrote:
>
>>
>> On 17/10/2017 09:54, Rowland Penny via samba wrote:
>>> On Tue, 17 Oct 2017 09:29:00 +0100
>>> Richard Connon via samba <[hidden email]> wrote:
>>>
>>>> On 16/10/2017 19:30, Rowland Penny wrote:
>>>>> Is the member server using DHCP ?
>>>> Yes. Both test hosts are using DHCP with static leases for IP
>>>> addresses but not for DNS domains or nameservers.
>>> I wouldn't do this, I would give the DC a fixed ipaddress.
>> In my production environment my DC(s) have fixed IP addresses, the
>> use of DHCP is only in my lab environment. Do you see a problem with
>> doing this as long as the IPs don't change during testing? (they are
>> static leases)
>>>>> Is '10.0.2.15' the ipaddress of the DC ?
>>>> Yes
>>>>> You haven't got 'security = ADS' in your smb.conf.
>>>> Assuming you mean on the member, good point, but it doesn't change
>>>> this behaviour. My understanding was this only affected smbd
>>>> anyway, which I'm not running on the member.
>>> You need it
>> OK. I've set it now and see no change in behaviour.
>>>>> You have 'unix password sync = yes' in smb.conf,
>>>>> Do you have Unix users that are also in AD ?
>>>> No, this is just a default smb.conf from debian. I assume this
>>>> wouldn't actually have any affect on a member server where there is
>>>> no local passdb anyway and again, removing it has no affect.
>>> It wouldn't help.
>> I've removed this now and see no change in behaviour.
>>> And finally the biggy, are you using sssd ?
>>>> No, these test hosts are very basic debian installs I've done to
>>>> attempt to isolate this problem, although my "production" installs
>>>> use SSSD.
>>> Then it is never going to work, you have not set up winbind at all.
>>>
>>> Can I suggest you go and read this:
>>>
>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>>
>>> I suggest you follow it and use the 'rid' backend.
>> Again, this is a production/lab difference. I didn't setup SSSD in
>> the lab to reduce the complexity. I'm simply trying to get the actual
>> join process working. I will follow through that wiki anyway to check
>> there's nothing I've missed though.
>>> Rowland
>>>
> Try this smb.conf on the domain member:
>
> [global]
>      workgroup = TEST
>      security = ADS
>      realm = ADS.TEST.LOCAL
>
>      winbind use default domain = yes
>      winbind expand groups = 4
>      winbind refresh tickets = Yes
>      winbind offline logon = yes
>
>      idmap config *:backend = tdb
>      idmap config *:range = 2000-9999
>      idmap config TEST : backend = rid
>      idmap config TEST : range = 10000-999999
>      template shell = /bin/bash
>      template homedir = /home/%U
>
>      domain master = no
>      local master = no
>      preferred master = no
>      os level = 20
>      map to guest = bad user
>      host msdfs = no
>
>      vfs objects = acl_xattr
>      map acl inherit = Yes
>      store dos attributes = Yes
>
> If 'net ads join -U Administrator' doesn't work, then you need to look
> elsewhere, is a firewall in the way, is Apparmor running and getting in
> the way
>
> Rowland
>
>
I tried this template and the behaviour still doesn't change. There is
no firewall between the hosts, they are in the same subnet. Apparmor is
not running on either host.

Earlier I tried to isolate the problem by just connecting to the RPC
server using rpcclient. Should this work correctly?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba