NT_STATUS_INTERNAL_ERROR

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
Hello, a short history, I am using samba 4 with Debian 9 from the repository, 2 days ago the server was broken, but I was copy all the /var/lib/samba directory to a safe place, then I was installed a new server with the same Debian and samba from repository, and stopped smbd, nmbd and winbind, unmask samba-ad-dc and finally copied all the directory from the old server to the new server and started the samba, all works fine, the bind is integrated with samba_dlz, etc. But now when i go to join a Windows 7 PC to the domain show an error with "Internal Error". Inside the AD server i put this command

kinit administrator
smbclient -k -L dc.mtz.desoft.cu -m smb2 -d5

and the output is

INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
Processing section "[global]"
doing parameter netbios name = DC
doing parameter realm = MTZ.DESOFT.CU
doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
doing parameter workgroup = MTZ
doing parameter server role = active directory domain controller
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter client ldap sasl wrapping = sign
doing parameter ldap server require strong auth = No
doing parameter full_audit:prefix = %u|%I|%S
doing parameter full_audit:failure = connect
doing parameter full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
doing parameter full_audit:facility = local5
doing parameter full_audit:priority = notice
doing parameter tls enabled = yes
doing parameter tls certfile = /var/lib/samba/private/tls/dc-cert.pem
doing parameter tls keyfile = /var/lib/samba/private/tls/secure/dc-privkey.pem
doing parameter tls cafile = /var/lib/samba/private/tls/cacert.pem
doing parameter tls crlfile = /var/lib/samba/private/tls/mtz.desoft.cu.crl
doing parameter tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem
doing parameter ntlm auth = yes
doing parameter winbind max clients = 10000
doing parameter min protocol = SMB2
pm_process() returned Yes
added interface eth1 ip=fd2d:bba0:d4f9:4fb9:98fe:2ff:fe6b:adcb bcast= netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=10.11.0.1 bcast=10.11.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.0.1 bcast=192.168.0.255 netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="DC"
Client started (version 4.5.8-Debian).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'MTZ.DESOFT.CU'
name dc.mtz.desoft.cu#20 found.
Connecting to 192.168.0.1 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 2626560
        SO_RCVBUF = 1061808
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/[hidden email]
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR

---------------------------------------------------------------------
smb.conf
----------------------------------------------------------------------
# Global parameters
[global]
        netbios name = DC
        realm = MTZ.DESOFT.CU
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = MTZ
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        client ldap sasl wrapping = sign
        ldap server require strong auth = No
#       map to guest = bad user

        # Audit settings
        full_audit:prefix = %u|%I|%S
        full_audit:failure = connect
        full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
        full_audit:facility = local5
        full_audit:priority = notice

        tls enabled       = yes
        tls certfile      = /var/lib/samba/private/tls/dc-cert.pem
        tls keyfile       = /var/lib/samba/private/tls/secure/dc-privkey.pem
        tls cafile        = /var/lib/samba/private/tls/cacert.pem
        tls crlfile       = /var/lib/samba/private/tls/mtz.desoft.cu.crl
        tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem

        ntlm auth = yes
#       lanman auth = yes
#       lanman auth = yes
        winbind max clients = 10000
        min protocol = SMB2

[netlogon]
        path = /var/lib/samba/sysvol/mtz.desoft.cu/scripts
        read only = No
        vfs objects = full_audit

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
        vfs objects = full_audit


--
Luis Felipe Dominguez Vega
System Administration in Desoft Matanzas | Mob: [ tel:+5353694785 | +5353694785 ] | [ http://www.desoft.cu/ | www.desoft.cu ]
[ https://www.facebook.com/lfdominguez0104 |    ] [ https://www.linkedin.com/in/luis-felipe-dom%C3%ADnguez-vega-47725794/ |    ] [ https://twitter.com/LuisFelipeDV1 |    ]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
On Thu, 10 Aug 2017 15:43:10 -0400 (CDT)
Ing. Luis Felipe Domínguez Vega via samba <[hidden email]> wrote:

> Hello, a short history, I am using samba 4 with Debian 9 from the
> repository, 2 days ago the server was broken, but I was copy all
> the /var/lib/samba directory to a safe place, then I was installed a
> new server with the same Debian and samba from repository, and
> stopped smbd, nmbd and winbind, unmask samba-ad-dc and finally copied
> all the directory from the old server to the new server and started
> the samba, all works fine, the bind is integrated with samba_dlz,
> etc. But now when i go to join a Windows 7 PC to the domain show an
> error with "Internal Error". Inside the AD server i put this command
>

Did you use exactly the same FQDN and ipaddress for the new computer ?

>
>  tls enabled       = yes
>  tls certfile      = /var/lib/samba/private/tls/dc-cert.pem
>  tls keyfile       = /var/lib/samba/private/tls/secure/dc-privkey.pem
>  tls cafile        = /var/lib/samba/private/tls/cacert.pem
>  tls crlfile       = /var/lib/samba/private/tls/mtz.desoft.cu.crl
>  tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem
>

You could try recreating the cert files.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
Hai,

We have 2 persons with exact the same problem.
Based on the configs shown by both personsn (Vladimir and Ing. Luis).
I dont see issues which should case this, so as Andrew suggest, keep increasing the debug levels and post these.
Lets hope we see something here, im bit puzzled about this one.


Greetz,

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: donderdag 10 augustus 2017 22:43
> Aan: [hidden email]
> Onderwerp: Re: [Samba] NT_STATUS_INTERNAL_ERROR
>
> On Thu, 10 Aug 2017 15:43:10 -0400 (CDT) Ing. Luis Felipe
> Domínguez Vega via samba <[hidden email]> wrote:
>
> > Hello, a short history, I am using samba 4 with Debian 9 from the
> > repository, 2 days ago the server was broken, but I was
> copy all the
> > /var/lib/samba directory to a safe place, then I was
> installed a new
> > server with the same Debian and samba from repository, and stopped
> > smbd, nmbd and winbind, unmask samba-ad-dc and finally
> copied all the
> > directory from the old server to the new server and started
> the samba,
> > all works fine, the bind is integrated with samba_dlz, etc. But now
> > when i go to join a Windows 7 PC to the domain show an error with
> > "Internal Error". Inside the AD server i put this command
> >
>
> Did you use exactly the same FQDN and ipaddress for the new computer ?
>
> >
> >  tls enabled       = yes
> >  tls certfile      = /var/lib/samba/private/tls/dc-cert.pem
> >  tls keyfile       =
> /var/lib/samba/private/tls/secure/dc-privkey.pem
> >  tls cafile        = /var/lib/samba/private/tls/cacert.pem
> >  tls crlfile       = /var/lib/samba/private/tls/mtz.desoft.cu.crl
> >  tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem
> >
>
> You could try recreating the cert files.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
This is with -d10, I test in Windows 10 (joining to domain) and same error, "Internal error". One thing, I don't execute the domain provision command because I put all the files created in the old server into the new server, that's metter???

INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
Processing section "[global]"
doing parameter netbios name = DC
doing parameter realm = MTZ.DESOFT.CU
doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
doing parameter workgroup = MTZ
doing parameter server role = active directory domain controller
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter client ldap sasl wrapping = sign
doing parameter ldap server require strong auth = No
doing parameter full_audit:prefix = %u|%I|%S
doing parameter full_audit:failure = connect
doing parameter full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
doing parameter full_audit:facility = local5
doing parameter full_audit:priority = notice
doing parameter tls enabled = yes
doing parameter tls certfile = /var/lib/samba/private/tls/dc-cert.pem
doing parameter tls keyfile = /var/lib/samba/private/tls/secure/dc-privkey.pem
doing parameter tls cafile = /var/lib/samba/private/tls/cacert.pem
doing parameter tls crlfile = /var/lib/samba/private/tls/mtz.desoft.cu.crl
doing parameter tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem
doing parameter ntlm auth = yes
doing parameter winbind max clients = 10000
doing parameter min protocol = SMB2
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth1 ip=fd2d:bba0:d4f9:4fb9:98fe:2ff:fe6b:adcb bcast= netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=10.11.0.1 bcast=10.11.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.0.1 bcast=192.168.0.255 netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="DC"
Client started (version 4.5.8-Debian).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
Adding cache entry with key=[AD_SITENAME/DOMAIN/MTZ.DESOFT.CU] and timeout=[Thu Jan  1 00:00:00 1970 UTC] (-1502452663 seconds in the past)
sitename_fetch: No stored sitename for realm 'MTZ.DESOFT.CU'
internal_resolve_name: looking up dc.mtz.desoft.cu#20 (sitename (null))
Adding cache entry with key=[NBT/DC.MTZ.DESOFT.CU#20] and timeout=[Thu Jan  1 00:00:00 1970 UTC] (-1502452663 seconds in the past)
no entry for dc.mtz.desoft.cu#20 found.
resolve_hosts: Attempting host lookup for name dc.mtz.desoft.cu<0x20>
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for dc.mtz.desoft.cu#20: 192.168.0.1
Adding cache entry with key=[NBT/DC.MTZ.DESOFT.CU#20] and timeout=[Fri Aug 11 12:08:43 2017 UTC] (660 seconds ahead)
internal_resolve_name: returning 1 addresses: 192.168.0.1:0
Connecting to 192.168.0.1 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 2626560
        SO_RCVBUF = 1061808
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/[hidden email]
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gss_init_sec_context failed with [ The context has expired: Success]
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR


----- Mensaje original -----
De: "samba" <[hidden email]>
Para: "samba" <[hidden email]>
Enviados: Viernes, 11 de Agosto 2017 4:29:32
Asunto: [Samba] NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Hai,

We have 2 persons with exact the same problem.
Based on the configs shown by both personsn (Vladimir and Ing. Luis).
I dont see issues which should case this, so as Andrew suggest, keep increasing the debug levels and post these.
Lets hope we see something here, im bit puzzled about this one.


Greetz,

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: donderdag 10 augustus 2017 22:43
> Aan: [hidden email]
> Onderwerp: Re: [Samba] NT_STATUS_INTERNAL_ERROR
>
> On Thu, 10 Aug 2017 15:43:10 -0400 (CDT) Ing. Luis Felipe
> Domínguez Vega via samba <[hidden email]> wrote:
>
> > Hello, a short history, I am using samba 4 with Debian 9 from the
> > repository, 2 days ago the server was broken, but I was
> copy all the
> > /var/lib/samba directory to a safe place, then I was
> installed a new
> > server with the same Debian and samba from repository, and stopped
> > smbd, nmbd and winbind, unmask samba-ad-dc and finally
> copied all the
> > directory from the old server to the new server and started
> the samba,
> > all works fine, the bind is integrated with samba_dlz, etc. But now
> > when i go to join a Windows 7 PC to the domain show an error with
> > "Internal Error". Inside the AD server i put this command
> >
>
> Did you use exactly the same FQDN and ipaddress for the new computer ?
>
> >
> >  tls enabled       = yes
> >  tls certfile      = /var/lib/samba/private/tls/dc-cert.pem
> >  tls keyfile       =
> /var/lib/samba/private/tls/secure/dc-privkey.pem
> >  tls cafile        = /var/lib/samba/private/tls/cacert.pem
> >  tls crlfile       = /var/lib/samba/private/tls/mtz.desoft.cu.crl
> >  tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem
> >
>
> You could try recreating the cert files.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
Luis Felipe Dominguez Vega
System Administration in Desoft Matanzas | Mob: [ tel:+5353694785 | +5353694785 ] | [ http://www.desoft.cu/ | www.desoft.cu ]
[ https://www.facebook.com/lfdominguez0104 |    ] [ https://www.linkedin.com/in/luis-felipe-dom%C3%ADnguez-vega-47725794/ |    ] [ https://twitter.com/LuisFelipeDV1 |    ]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
Can you post the output of

klist -ket /var/lib/samba/private/secrets.keytab
And yes, its possible that after the copy some rights are wrong.

My output, for the "none" root:root folders.

ls -al /var/lib/samba/ | egrep "dns|winbind|ntp|private|user|sysvol"
drwxr-x---   2 root ntp                       4096 Aug 10 11:46 ntp_signd
drwxr-xr-x   8 root root                      4096 Aug 11 14:11 private
drwxrwx---+  3 root BUILTIN\administrators    4096 Apr 28  2015 sysvol
drwxrwx--T   2 root sambashare                4096 May  6  2016 usershares
-rw-------   1 root root                    286720 Aug 11 14:11 winbindd_cache.tdb
drwxr-x---   2 root winbindd_priv             4096 Aug 10 11:46 winbindd_privileged

And
ls -al /var/lib/samba/private/ | egrep "dns|sam"
drwxrwx--- 3 root bind    4096 Aug 11 13:06 dns
-rw-r----- 1 root bind     877 Apr 28  2015 dns.keytab
-rw------- 1 root root    2195 Apr 28  2015 dns_update_cache
-rw-r--r-- 1 root root    3183 Apr 28  2015 dns_update_list
-rw------- 1 root root 4247552 Jun  1  2015 sam.ldb
drwxr-x--- 2 root bind    4096 Aug 11 13:06 sam.ldb.d

Can you check these?


@Vladimir, you dont have bind installed so your rights my differ a bit.

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: Ing. Luis Felipe Domínguez Vega
> [mailto:[hidden email]]
> Verzonden: vrijdag 11 augustus 2017 14:02
> Aan: L.P.H. van Belle; samba
> Onderwerp: Re: [Samba] NT_STATUS_INTERNAL_ERROR and cannot
> join windows 7 samba4-ad-dc fresh install, get
> NT_STATUS_INTERNAL_ERROR
>
> This is with -d10, I test in Windows 10 (joining to domain)
> and same error, "Internal error". One thing, I don't execute
> the domain provision command because I put all the files
> created in the old server into the new server, that's metter???
>
> INFO: Current debug levels:
>   all: 10
>   tdb: 10
>   printdrivers: 10
>   lanman: 10
>   smb: 10
>   rpc_parse: 10
>   rpc_srv: 10
>   rpc_cli: 10
>   passdb: 10
>   sam: 10
>   auth: 10
>   winbind: 10
>   vfs: 10
>   idmap: 10
>   quota: 10
>   acls: 10
>   locking: 10
>   msdfs: 10
>   dmapi: 10
>   registry: 10
>   scavenger: 10
>   dns: 10
>   ldb: 10
>   tevent: 10
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows
> limit (16384)
> INFO: Current debug levels:
>   all: 10
>   tdb: 10
>   printdrivers: 10
>   lanman: 10
>   smb: 10
>   rpc_parse: 10
>   rpc_srv: 10
>   rpc_cli: 10
>   passdb: 10
>   sam: 10
>   auth: 10
>   winbind: 10
>   vfs: 10
>   idmap: 10
>   quota: 10
>   acls: 10
>   locking: 10
>   msdfs: 10
>   dmapi: 10
>   registry: 10
>   scavenger: 10
>   dns: 10
>   ldb: 10
>   tevent: 10
> Processing section "[global]"
> doing parameter netbios name = DC
> doing parameter realm = MTZ.DESOFT.CU
> doing parameter server services = s3fs, rpc, nbt, wrepl,
> ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> doing parameter workgroup = MTZ doing parameter server role =
> active directory domain controller doing parameter
> idmap_ldb:use rfc2307 = yes doing parameter client ldap sasl
> wrapping = sign doing parameter ldap server require strong
> auth = No doing parameter full_audit:prefix = %u|%I|%S doing
> parameter full_audit:failure = connect doing parameter
> full_audit:success = connect disconnect opendir mkdir rmdir
> closedir open close read pread write pwrite sendfile rename
> unlink chmod fchmod chown fchown chdir ftruncate lock symlink
> readlink link mknod realpath doing parameter
> full_audit:facility = local5 doing parameter
> full_audit:priority = notice doing parameter tls enabled =
> yes doing parameter tls certfile =
> /var/lib/samba/private/tls/dc-cert.pem
> doing parameter tls keyfile =
> /var/lib/samba/private/tls/secure/dc-privkey.pem
> doing parameter tls cafile = /var/lib/samba/private/tls/cacert.pem
> doing parameter tls crlfile =
> /var/lib/samba/private/tls/mtz.desoft.cu.crl
> doing parameter tls dhparams file =
> /var/lib/samba/private/tls/dc-dhparams.pem
> doing parameter ntlm auth = yes
> doing parameter winbind max clients = 10000 doing parameter
> min protocol = SMB2
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> added interface eth1
> ip=fd2d:bba0:d4f9:4fb9:98fe:2ff:fe6b:adcb bcast=
> netmask=ffff:ffff:ffff:ffff::
> added interface eth1 ip=10.11.0.1 bcast=10.11.0.255
> netmask=255.255.255.0 added interface eth0 ip=192.168.0.1
> bcast=192.168.0.255 netmask=255.255.255.0 Netbios name list:-
> my_netbios_names[0]="DC"
> Client started (version 4.5.8-Debian).
> Opening cache file at /var/cache/samba/gencache.tdb Opening
> cache file at /var/run/samba/gencache_notrans.tdb
> Adding cache entry with
> key=[AD_SITENAME/DOMAIN/MTZ.DESOFT.CU] and timeout=[Thu Jan  
> 1 00:00:00 1970 UTC] (-1502452663 seconds in the past)
> sitename_fetch: No stored sitename for realm 'MTZ.DESOFT.CU'
> internal_resolve_name: looking up dc.mtz.desoft.cu#20
> (sitename (null)) Adding cache entry with
> key=[NBT/DC.MTZ.DESOFT.CU#20] and timeout=[Thu Jan  1
> 00:00:00 1970 UTC] (-1502452663 seconds in the past) no entry
> for dc.mtz.desoft.cu#20 found.
> resolve_hosts: Attempting host lookup for name dc.mtz.desoft.cu<0x20>
> remove_duplicate_addrs2: looking for duplicate address/port pairs
> namecache_store: storing 1 address for dc.mtz.desoft.cu#20:
> 192.168.0.1 Adding cache entry with
> key=[NBT/DC.MTZ.DESOFT.CU#20] and timeout=[Fri Aug 11
> 12:08:43 2017 UTC] (660 seconds ahead)
> internal_resolve_name: returning 1 addresses: 192.168.0.1:0
> Connecting to 192.168.0.1 at port 445 Socket options:
>         SO_KEEPALIVE = 0
>         SO_REUSEADDR = 0
>         SO_BROADCAST = 0
>         TCP_NODELAY = 1
>         TCP_KEEPCNT = 9
>         TCP_KEEPIDLE = 7200
>         TCP_KEEPINTVL = 75
>         IPTOS_LOWDELAY = 0
>         IPTOS_THROUGHPUT = 0
>         SO_REUSEPORT = 0
>         SO_SNDBUF = 2626560
>         SO_RCVBUF = 1061808
>         SO_SNDLOWAT = 1
>         SO_RCVLOWAT = 1
>         SO_SNDTIMEO = 0
>         SO_RCVTIMEO = 0
>         TCP_QUICKACK = 1
>         TCP_DEFER_ACCEPT = 0
>  session request ok
> Doing spnego session setup (blob length=96) got
> OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got
> OID=1.3.6.1.4.1.311.2.2.10 got
> principal=not_defined_in_RFC4178@please_ignore
> cli_session_setup_spnego: using target hostname not SPNEGO principal
> cli_session_setup_spnego: guessed server
> principal=cifs/[hidden email]
> GENSEC backend 'gssapi_spnego' registered GENSEC backend
> 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl'
> registered GENSEC backend 'spnego' registered GENSEC backend
> 'schannel' registered GENSEC backend 'naclrpc_as_system'
> registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC
> backend 'ntlmssp' registered GENSEC backend
> 'ntlmssp_resume_ccache' registered GENSEC backend
> 'http_basic' registered GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered GENSEC backend
> 'fake_gssapi_krb5' registered Starting GENSEC mechanism
> spnego Starting GENSEC submechanism gse_krb5
> gss_init_sec_context failed with [ The context has expired: Success]
> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed:
> NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit
> request: NT_STATUS_INTERNAL_ERROR SPNEGO login failed: An
> internal error occurred.
> session setup failed: NT_STATUS_INTERNAL_ERROR
>
>
> ----- Mensaje original -----
> De: "samba" <[hidden email]>
> Para: "samba" <[hidden email]>
> Enviados: Viernes, 11 de Agosto 2017 4:29:32
> Asunto: [Samba] NT_STATUS_INTERNAL_ERROR and cannot join
> windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
>
> Hai,
>
> We have 2 persons with exact the same problem.
> Based on the configs shown by both personsn (Vladimir and Ing. Luis).
> I dont see issues which should case this, so as Andrew
> suggest, keep increasing the debug levels and post these.
> Lets hope we see something here, im bit puzzled about this one.
>
>
> Greetz,
>
> Louis
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens
> > Rowland Penny via samba
> > Verzonden: donderdag 10 augustus 2017 22:43
> > Aan: [hidden email]
> > Onderwerp: Re: [Samba] NT_STATUS_INTERNAL_ERROR
> >
> > On Thu, 10 Aug 2017 15:43:10 -0400 (CDT) Ing. Luis Felipe
> > Domínguez Vega via samba <[hidden email]> wrote:
> >
> > > Hello, a short history, I am using samba 4 with Debian 9 from the
> > > repository, 2 days ago the server was broken, but I was
> > copy all the
> > > /var/lib/samba directory to a safe place, then I was
> > installed a new
> > > server with the same Debian and samba from repository,
> and stopped
> > > smbd, nmbd and winbind, unmask samba-ad-dc and finally
> > copied all the
> > > directory from the old server to the new server and started
> > the samba,
> > > all works fine, the bind is integrated with samba_dlz,
> etc. But now
> > > when i go to join a Windows 7 PC to the domain show an error with
> > > "Internal Error". Inside the AD server i put this command
> > >
> >
> > Did you use exactly the same FQDN and ipaddress for the new
> computer ?
> >
> > >
> > >  tls enabled       = yes
> > >  tls certfile      = /var/lib/samba/private/tls/dc-cert.pem
> > >  tls keyfile       =
> > /var/lib/samba/private/tls/secure/dc-privkey.pem
> > >  tls cafile        = /var/lib/samba/private/tls/cacert.pem
> > >  tls crlfile       = /var/lib/samba/private/tls/mtz.desoft.cu.crl
> > >  tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem
> > >
> >
> > You could try recreating the cert files.
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> --
> Luis Felipe Dominguez Vega
> System Administration in Desoft Matanzas | Mob: [
> tel:+5353694785 | +5353694785 ] | [ http://www.desoft.cu/ |
> www.desoft.cu ]
> [ https://www.facebook.com/lfdominguez0104 |    ] [
> https://www.linkedin.com/in/luis-felipe-dom%C3%ADnguez-vega-47
> 725794/ |    ] [ https://twitter.com/LuisFelipeDV1 |    ]
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 2017-08-11 at 08:02 -0400, Ing. Luis Felipe Domínguez Vega via
samba wrote:
> gss_init_sec_context failed with [ The context has expired: Success]
> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR

Can you please show me your smb.conf?

I gse_krb5 shouldn't run on an AD DC, so I think the smb.conf is
somehow set up as a file server.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
On Sat, 12 Aug 2017 05:56:36 +1200
Andrew Bartlett via samba <[hidden email]> wrote:

> On Fri, 2017-08-11 at 08:02 -0400, Ing. Luis Felipe Domínguez Vega via
> samba wrote:
> > gss_init_sec_context failed with [ The context has expired: Success]
> > SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed:
> > NT_STATUS_INTERNAL_ERROR
>
> Can you please show me your smb.conf?
>
> I gse_krb5 shouldn't run on an AD DC, so I think the smb.conf is
> somehow set up as a file server.
>
> Andrew Bartlett
>

Hi Andrew,

He has already posted it in his first post and it looks like a DC to me.

However, would him having 'client ldap sasl wrapping = sign' in his
smb.conf be causing this ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 2017-08-11 at 08:02 -0400, Ing. Luis Felipe Domínguez Vega via
samba wrote:
> This is with -d10, I test in Windows 10 (joining to domain) and same
> error, "Internal error". One thing, I don't execute the domain
> provision command because I put all the files created in the old
> server into the new server, that's metter???

This is looks like the log from smbclient, is that correct?  If so, can
you give me the exact command you ran, and the output of klist?

Can you also show me the server-side log, at level 10?

The error you see with smbclient may not be related to the join error,
it looks like a client-side failure at this point.

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
How strange that is, with the old server that does not happen, but with this new server... I thought that as I only copied the /var/lib/samba to the new server, then samba with the samba provision command make something outside the /var/lib/samba (and smb.conf file) that I miss from the old server.

----- Mensaje original -----
De: "samba" <[hidden email]>
Para: "samba" <[hidden email]>
CC: "Andrew Bartlett" <[hidden email]>
Enviados: Viernes, 11 de Agosto 2017 14:37:48
Asunto: Re: [Samba] NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

On Sat, 12 Aug 2017 05:56:36 +1200
Andrew Bartlett via samba <[hidden email]> wrote:

> On Fri, 2017-08-11 at 08:02 -0400, Ing. Luis Felipe Domínguez Vega via
> samba wrote:
> > gss_init_sec_context failed with [ The context has expired: Success]
> > SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed:
> > NT_STATUS_INTERNAL_ERROR
>
> Can you please show me your smb.conf?
>
> I gse_krb5 shouldn't run on an AD DC, so I think the smb.conf is
> somehow set up as a file server.
>
> Andrew Bartlett
>

Hi Andrew,

He has already posted it in his first post and it looks like a DC to me.

However, would him having 'client ldap sasl wrapping = sign' in his
smb.conf be causing this ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
Luis Felipe Dominguez Vega
System Administration in Desoft Matanzas | Mob: [ tel:+5353694785 | +5353694785 ] | [ http://www.desoft.cu/ | www.desoft.cu ]
[ https://www.facebook.com/lfdominguez0104 |    ] [ https://www.linkedin.com/in/luis-felipe-dom%C3%ADnguez-vega-47725794/ |    ] [ https://twitter.com/LuisFelipeDV1 |    ]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
This is the command after 'kinit administrator':

smbclient -k -L dc.mtz.desoft.cu -m smb2 -d10


----- Mensaje original -----
De: "Andrew Bartlett" <[hidden email]>
Para: "Ing. Luis Felipe Domínguez Vega" <[hidden email]>, "L.P.H. van Belle" <[hidden email]>, "samba" <[hidden email]>
Enviados: Viernes, 11 de Agosto 2017 15:01:43
Asunto: Re: [Samba] NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

On Fri, 2017-08-11 at 08:02 -0400, Ing. Luis Felipe Domínguez Vega via
samba wrote:
> This is with -d10, I test in Windows 10 (joining to domain) and same
> error, "Internal error". One thing, I don't execute the domain
> provision command because I put all the files created in the old
> server into the new server, that's metter???

This is looks like the log from smbclient, is that correct?  If so, can
you give me the exact command you ran, and the output of klist?

Can you also show me the server-side log, at level 10?

The error you see with smbclient may not be related to the join error,
it looks like a client-side failure at this point.

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
--
Luis Felipe Dominguez Vega
System Administration in Desoft Matanzas | Mob: [ tel:+5353694785 | +5353694785 ] | [ http://www.desoft.cu/ | www.desoft.cu ]
[ https://www.facebook.com/lfdominguez0104 |    ] [ https://www.linkedin.com/in/luis-felipe-dom%C3%ADnguez-vega-47725794/ |    ] [ https://twitter.com/LuisFelipeDV1 |    ]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 11 Aug 2017 15:06:11 -0400 (CDT)
Ing. Luis Felipe Domínguez Vega <[hidden email]> wrote:

> How strange that is, with the old server that does not happen, but
> with this new server... I thought that as I only copied
> the /var/lib/samba to the new server, then samba with the samba
> provision command make something outside the /var/lib/samba (and
> smb.conf file) that I miss from the old server.
>

Lets see if I understand this correctly:

Your DC went faulty and you copied /var/lib/samba to some where safe.
You created a new DC with the same hostname and ipaddress.
You installed Samba.
You stopped any Samba processes.
You copied your old /var/lib/samba over the new one.
you then ran 'samba-tool domain provision'

Is the above what you did ?
If not, what did you do ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
All of these steps, but I dont ran 'samba-tool domain provision'

----- Mensaje original -----
De: "samba" <[hidden email]>
Para: "samba" <[hidden email]>
Enviados: Viernes, 11 de Agosto 2017 15:36:46
Asunto: Re: [Samba] NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

On Fri, 11 Aug 2017 15:06:11 -0400 (CDT)
Ing. Luis Felipe Domínguez Vega <[hidden email]> wrote:

> How strange that is, with the old server that does not happen, but
> with this new server... I thought that as I only copied
> the /var/lib/samba to the new server, then samba with the samba
> provision command make something outside the /var/lib/samba (and
> smb.conf file) that I miss from the old server.
>

Lets see if I understand this correctly:

Your DC went faulty and you copied /var/lib/samba to some where safe.
You created a new DC with the same hostname and ipaddress.
You installed Samba.
You stopped any Samba processes.
You copied your old /var/lib/samba over the new one.
you then ran 'samba-tool domain provision'

Is the above what you did ?
If not, what did you do ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
Luis Felipe Dominguez Vega
System Administration in Desoft Matanzas | Mob: [ tel:+5353694785 | +5353694785 ] | [ http://www.desoft.cu/ | www.desoft.cu ]
[ https://www.facebook.com/lfdominguez0104 |    ] [ https://www.linkedin.com/in/luis-felipe-dom%C3%ADnguez-vega-47725794/ |    ] [ https://twitter.com/LuisFelipeDV1 |    ]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
On Fri, 11 Aug 2017 16:00:51 -0400 (CDT)
Ing. Luis Felipe Domínguez Vega <[hidden email]> wrote:

> All of these steps, but I dont ran 'samba-tool domain provision'
>

Thank goodness for that, from what you posted, it sounded like you did
and that would have been a bad idea ;-)

Can you post the following files:

/etc/hosts
/etc/hostname
/etc/resolv.conf
/etc/krb5.conf
/etc/bind/named.conf.options
/etc/bind/named.conf.local

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 2017-08-11 at 16:00 -0400, Ing. Luis Felipe Domínguez Vega via
samba wrote:
> All of these steps, but I dont ran 'samba-tool domain provision'

So did you copy the smb.conf?

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 2017-08-11 at 19:37 +0100, Rowland Penny wrote:

> On Sat, 12 Aug 2017 05:56:36 +1200
> Andrew Bartlett via samba <[hidden email]> wrote:
>
> > On Fri, 2017-08-11 at 08:02 -0400, Ing. Luis Felipe Domínguez Vega via
> > samba wrote:
> > > gss_init_sec_context failed with [ The context has expired: Success]
> > > SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed:
> > > NT_STATUS_INTERNAL_ERROR
> >
> > Can you please show me your smb.conf?
> >
> > I gse_krb5 shouldn't run on an AD DC, so I think the smb.conf is
> > somehow set up as a file server.
> >
> > Andrew Bartlett
> >
>
> Hi Andrew,
>
> He has already posted it in his first post and it looks like a DC to me.
>
> However, would him having 'client ldap sasl wrapping = sign' in his
> smb.conf be causing this ?

No.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
On Mon, 14 Aug 2017 19:17:28 +1200
Andrew Bartlett <[hidden email]> wrote:

> On Fri, 2017-08-11 at 19:37 +0100, Rowland Penny wrote:
> > On Sat, 12 Aug 2017 05:56:36 +1200
> > Andrew Bartlett via samba <[hidden email]> wrote:
> >
> > > On Fri, 2017-08-11 at 08:02 -0400, Ing. Luis Felipe Domínguez
> > > Vega via samba wrote:
> > > > gss_init_sec_context failed with [ The context has expired:
> > > > Success] SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed:
> > > > NT_STATUS_INTERNAL_ERROR
> > >
> > > Can you please show me your smb.conf?
> > >
> > > I gse_krb5 shouldn't run on an AD DC, so I think the smb.conf is
> > > somehow set up as a file server.
> > >
> > > Andrew Bartlett
> > >
> >
> > Hi Andrew,
> >
> > He has already posted it in his first post and it looks like a DC
> > to me.
> >
> > However, would him having 'client ldap sasl wrapping = sign' in his
> > smb.conf be causing this ?
>
> No.
>
> Andrew Bartlett
>

I realised this 5 minutes after I posted it, it is one of the default
settings.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 14 Aug 2017 09:34:57 -0400 (CDT)
Ing. Luis Felipe Domínguez Vega <[hidden email]> wrote:

> Sorry, in weekends I don't have email and the internet neither. Yes,
> I have copied the smb.conf gggg. Well the files are. Ahhh something
> extrange, the NTP server is working only with native NTP clients, if
> i use w32tm /resync in windows clients don't update the time, the
> server recive the request and send a response, but dont synchronize,
> but this if for later, now is very important the Domain Join action.
>

Can you try the following files instead of yours, they are based on my
working files and info gleaned from yours:

/etc/resolv.conf

search mtz.desoft.cu
nameserver 192.168.0.1

/etc/krb5.conf

[libdefaults]
    default_realm = MTZ.DESOFT.CU
        dns_lookup_realm = false
        dns_lookup_kdc = true

/etc/bind/named.conf.options

options {
        directory "/var/cache/bind";
        version none;
        dump-file "/var/cache/bind/data/cache_dump.db";
        statistics-file "/var/cache/bind/data/named_stats.txt";
        notify no;
        empty-zones-enable no;
        allow-query     { 192.168.0.0/24; 10.11.0.0/24; 127.0.0.1; };
        allow-recursion { 192.168.0.0/24; 10.11.0.0/24; 127.0.0.1; };
        forwarders { 192.168.0.253; 8.8.8.8; };
        allow-transfer  { none; };
        dnssec-validation no;
        dnssec-enable no;
        listen-on port 53 { 127.0.0.1; 10.11.0.1; 192.168.0.1; };
        listen-on-v6 { none; };
        querylog yes;
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

logging {
        channel xfer-log {
                file "/var/log/named.log";
                print-category yes;
                print-severity yes;
                severity info;
        };

        category xfer-in        { xfer-log; };
        category xfer-out       { xfer-log; };
        category notify         { xfer-log; };
};

statistics-channels {
        inet 127.0.0.1 port 8888 allow { 127.0.0.1; };
};

BIG NOTE: I only have the first part in my named.conf.options

/etc/bind/named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// adding the Samba dlopen ( Bind DLZ ) module
include "/var/lib/samba/private/named.conf";

ANOTHER NOTE: check that the path above is correct for your setup, it
should be, but better safe than sorry ;-)

As you are now having problems with ntp, have you read this wiki page:

https://wiki.samba.org/index.php/Time_Synchronisation

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...