cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
Hello,
I've a problem joining windows 7 samba4 ad
I'm doing a completely clean install on debian 9.1
When trying to join AD Win 7 gives me "internal error"
I also get error on "Verifying the File Server" step of the

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_
Active_Directory_Domain_Controller

here's the output:

smbclient -L localhost -U%
session setup failed: NT_STATUS_INTERNAL_ERROR

smbclient //localhost/netlogon -UAdministrator -c `ls`
Enter Administrator's password:
session setup failed: NT_STATUS_INTERNAL_ERROR
------
If you need more info (config, trace, debug, tcpdump etc) I will post it
Please help

provision script, configs and log are below:

samba-tool domain provision --server-role=dc --use-rfc2307
--dns-backend=SAMBA_INTERNAL --realm=RONA.LOC --domain=RONA
--adminpass=<mypassword>
------
cat /etc/debian_version
9.1
------
cat /etc/samba/smb.conf
# Global parameters
[global]
        netbios name = SAMBADC
        realm = RONA.LOC
        workgroup = RONA
        dns forwarder = 192.168.19.1
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        log level = 5

[netlogon]
        path = /var/lib/samba/sysvol/rona.loc/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
------
cat /etc/krb5.conf
[libdefaults]
        default_realm = RONA.LOC
        dns_lookup_realm = false
        dns_lookup_kdc = true
------
cat /etc/resolv.conf
domain rona.loc
nameserver 192.168.19.2
------
cat /etc/hosts
127.0.0.1       localhost
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.19.2    sambadc.rona.loc sambadc
------
kinit [hidden email]
Password for [hidden email]:
Warning: Your password will expire in 41 days on Tue Sep 19 20:53:26 2017
------
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [hidden email]

Valid starting     Expires            Service principal
08/08/17 23:23:40  08/09/17 09:23:40  krbtgt/[hidden email]
        renew until 08/09/17 23:23:37
------
log file of the joining windows 7 session:
log.out
(38 КБ)
<https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view=att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw>


--
Best regards, Vladimir
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
Sorry forgot to mention samba version and build options:

samba -b
Samba version: 4.5.8-Debian
Build environment:
Paths:
   BINDIR: /usr/bin
   SBINDIR: /usr/sbin
   CONFIGFILE: /etc/samba/smb.conf
   NCALRPCDIR: /var/run/samba/ncalrpc
   LOGFILEBASE: /var/log/samba
   LMHOSTSFILE: /etc/samba/lmhosts
   DATADIR: /usr/share
   MODULESDIR: /usr/lib/i386-linux-gnu/samba
   LOCKDIR: /var/run/samba
   STATEDIR: /var/lib/samba
   CACHEDIR: /var/cache/samba
   PIDDIR: /var/run/samba
   PRIVATE_DIR: /var/lib/samba/private
   CODEPAGEDIR: /usr/share/samba/codepages
   SETUPDIR: /usr/share/samba/setup
   WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
   WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
   NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd

and the log file is located here:

https://pastebin.com/SqCUj5xm


2017-08-08 23:43 GMT+07:00 Vladimir Frelikh <[hidden email]>:

> Hello,
> I've a problem joining windows 7 samba4 ad
> I'm doing a completely clean install on debian 9.1
> When trying to join AD Win 7 gives me "internal error"
> I also get error on "Verifying the File Server" step of the
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Acti
> ve_Directory_Domain_Controller
>
> here's the output:
>
> smbclient -L localhost -U%
> session setup failed: NT_STATUS_INTERNAL_ERROR
>
> smbclient //localhost/netlogon -UAdministrator -c `ls`
> Enter Administrator's password:
> session setup failed: NT_STATUS_INTERNAL_ERROR
> ------
> If you need more info (config, trace, debug, tcpdump etc) I will post it
> Please help
>
> provision script, configs and log are below:
>
> samba-tool domain provision --server-role=dc --use-rfc2307
> --dns-backend=SAMBA_INTERNAL --realm=RONA.LOC --domain=RONA
> --adminpass=<mypassword>
> ------
> cat /etc/debian_version
> 9.1
> ------
> cat /etc/samba/smb.conf
> # Global parameters
> [global]
>         netbios name = SAMBADC
>         realm = RONA.LOC
>         workgroup = RONA
>         dns forwarder = 192.168.19.1
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         log level = 5
>
> [netlogon]
>         path = /var/lib/samba/sysvol/rona.loc/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> ------
> cat /etc/krb5.conf
> [libdefaults]
>         default_realm = RONA.LOC
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> ------
> cat /etc/resolv.conf
> domain rona.loc
> nameserver 192.168.19.2
> ------
> cat /etc/hosts
> 127.0.0.1       localhost
> ::1             localhost ip6-localhost ip6-loopback
> ff02::1         ip6-allnodes
> ff02::2         ip6-allrouters
> 192.168.19.2    sambadc.rona.loc sambadc
> ------
> kinit [hidden email]
> Password for [hidden email]:
> Warning: Your password will expire in 41 days on Tue Sep 19 20:53:26 2017
> ------
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: [hidden email]
>
> Valid starting     Expires            Service principal
> 08/08/17 23:23:40  08/09/17 09:23:40  krbtgt/[hidden email]
>         renew until 08/09/17 23:23:37
> ------
> log file of the joining windows 7 session:
> log.out
> (38 КБ)
>
> <https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view=att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw>
>
>
> --
> Best regards, Vladimir
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
hi,

can you post a ipconfig /all from the windows pc also.

a quick look at the server config looks ok to me.

and does smbclient -L $(hostname -f) -U% -m smb2
work.

greetz,

Louis


> Op 9 aug. 2017 om 17:23 heeft Vladimir Frelikh via samba <[hidden email]> het volgende geschreven:
>
> Sorry forgot to mention samba version and build options:
>
> samba -b
> Samba version: 4.5.8-Debian
> Build environment:
> Paths:
>   BINDIR: /usr/bin
>   SBINDIR: /usr/sbin
>   CONFIGFILE: /etc/samba/smb.conf
>   NCALRPCDIR: /var/run/samba/ncalrpc
>   LOGFILEBASE: /var/log/samba
>   LMHOSTSFILE: /etc/samba/lmhosts
>   DATADIR: /usr/share
>   MODULESDIR: /usr/lib/i386-linux-gnu/samba
>   LOCKDIR: /var/run/samba
>   STATEDIR: /var/lib/samba
>   CACHEDIR: /var/cache/samba
>   PIDDIR: /var/run/samba
>   PRIVATE_DIR: /var/lib/samba/private
>   CODEPAGEDIR: /usr/share/samba/codepages
>   SETUPDIR: /usr/share/samba/setup
>   WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
>   WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
>   NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
>
> and the log file is located here:
>
> https://pastebin.com/SqCUj5xm
>
>
> 2017-08-08 23:43 GMT+07:00 Vladimir Frelikh <[hidden email]>:
>
>> Hello,
>> I've a problem joining windows 7 samba4 ad
>> I'm doing a completely clean install on debian 9.1
>> When trying to join AD Win 7 gives me "internal error"
>> I also get error on "Verifying the File Server" step of the
>>
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Acti
>> ve_Directory_Domain_Controller
>>
>> here's the output:
>>
>> smbclient -L localhost -U%
>> session setup failed: NT_STATUS_INTERNAL_ERROR
>>
>> smbclient //localhost/netlogon -UAdministrator -c `ls`
>> Enter Administrator's password:
>> session setup failed: NT_STATUS_INTERNAL_ERROR
>> ------
>> If you need more info (config, trace, debug, tcpdump etc) I will post it
>> Please help
>>
>> provision script, configs and log are below:
>>
>> samba-tool domain provision --server-role=dc --use-rfc2307
>> --dns-backend=SAMBA_INTERNAL --realm=RONA.LOC --domain=RONA
>> --adminpass=<mypassword>
>> ------
>> cat /etc/debian_version
>> 9.1
>> ------
>> cat /etc/samba/smb.conf
>> # Global parameters
>> [global]
>>        netbios name = SAMBADC
>>        realm = RONA.LOC
>>        workgroup = RONA
>>        dns forwarder = 192.168.19.1
>>        server role = active directory domain controller
>>        idmap_ldb:use rfc2307 = yes
>>        log level = 5
>>
>> [netlogon]
>>        path = /var/lib/samba/sysvol/rona.loc/scripts
>>        read only = No
>>
>> [sysvol]
>>        path = /var/lib/samba/sysvol
>>        read only = No
>> ------
>> cat /etc/krb5.conf
>> [libdefaults]
>>        default_realm = RONA.LOC
>>        dns_lookup_realm = false
>>        dns_lookup_kdc = true
>> ------
>> cat /etc/resolv.conf
>> domain rona.loc
>> nameserver 192.168.19.2
>> ------
>> cat /etc/hosts
>> 127.0.0.1       localhost
>> ::1             localhost ip6-localhost ip6-loopback
>> ff02::1         ip6-allnodes
>> ff02::2         ip6-allrouters
>> 192.168.19.2    sambadc.rona.loc sambadc
>> ------
>> kinit [hidden email]
>> Password for [hidden email]:
>> Warning: Your password will expire in 41 days on Tue Sep 19 20:53:26 2017
>> ------
>> klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: [hidden email]
>>
>> Valid starting     Expires            Service principal
>> 08/08/17 23:23:40  08/09/17 09:23:40  krbtgt/[hidden email]
>>        renew until 08/09/17 23:23:37
>> ------
>> log file of the joining windows 7 session:
>> log.out
>> (38 ????)
>>
>> <https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view=att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw>
>>
>>
>> --
>> Best regards, Vladimir
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
hi,

here is the output from win 7 machine, cutted non-us local symbols are
substituted by [cut]:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : testing
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter [cut]:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : [cut] Intel(R) PRO/1000 MT
   Physical Address. . . . . . . . . : 08-00-27-E0-C1-08
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . :
fe80::6085:e816:b3a6:e25c%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.19.29(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.19.1
   DHCPv6 IAID . . . . . . . . . . . : 235405351
   DHCPv6 Client DUID. . . . . . . . :
00-01-00-01-20-EC-BC-5A-08-00-27-E0-C1-08
   DNS Servers . . . . . . . . . . . : 192.168.19.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{84FC8508-AFBB-4080-B7CD-06BC11FC86F0}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : [cut] Microsoft ISATAP
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter [cut] 9:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . :
2001:0:9d38:6ab8:2c17:6c6:3f57:ece2(Preferred)
   Link-local IPv6 Address . . . . . :
fe80::2c17:6c6:3f57:ece2%13(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

------
here is the output of smbclient:

smbclient -L $(hostname -f) -Uadministrator%<password> -m smb2

if I give correct password, it gives me:
session setup failed: NT_STATUS_INTERNAL_ERROR
if I give wrong password (on purpose) it gives me:
session setup failed: NT_STATUS_LOGON_FAILURE

------
here is the output if ip addr of the sambadc.rona.loc host:

ip -f inet addr show eth0
5: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UP group default qlen 1000 link-netnsid 0
    inet 192.168.19.2/24 brd 192.168.19.255 scope global eth0
       valid_lft forever preferred_lft forever


--
Best regards, Vladimir

2017-08-10 1:50 GMT+07:00 L.P.H. van Belle via samba <[hidden email]>
:

> hi,
>
> can you post a ipconfig /all from the windows pc also.
>
> a quick look at the server config looks ok to me.
>
> and does smbclient -L $(hostname -f) -U% -m smb2
> work.
>
> greetz,
>
> Louis
>
>
> > Op 9 aug. 2017 om 17:23 heeft Vladimir Frelikh via samba <
> [hidden email]> het volgende geschreven:
> >
> > Sorry forgot to mention samba version and build options:
> >
> > samba -b
> > Samba version: 4.5.8-Debian
> > Build environment:
> > Paths:
> >   BINDIR: /usr/bin
> >   SBINDIR: /usr/sbin
> >   CONFIGFILE: /etc/samba/smb.conf
> >   NCALRPCDIR: /var/run/samba/ncalrpc
> >   LOGFILEBASE: /var/log/samba
> >   LMHOSTSFILE: /etc/samba/lmhosts
> >   DATADIR: /usr/share
> >   MODULESDIR: /usr/lib/i386-linux-gnu/samba
> >   LOCKDIR: /var/run/samba
> >   STATEDIR: /var/lib/samba
> >   CACHEDIR: /var/cache/samba
> >   PIDDIR: /var/run/samba
> >   PRIVATE_DIR: /var/lib/samba/private
> >   CODEPAGEDIR: /usr/share/samba/codepages
> >   SETUPDIR: /usr/share/samba/setup
> >   WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
> >   WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
> >   NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
> >
> > and the log file is located here:
> >
> > https://pastebin.com/SqCUj5xm
> >
> >
> > 2017-08-08 23:43 GMT+07:00 Vladimir Frelikh <[hidden email]>:
> >
> >> Hello,
> >> I've a problem joining windows 7 samba4 ad
> >> I'm doing a completely clean install on debian 9.1
> >> When trying to join AD Win 7 gives me "internal error"
> >> I also get error on "Verifying the File Server" step of the
> >>
> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Acti
> >> ve_Directory_Domain_Controller
> >>
> >> here's the output:
> >>
> >> smbclient -L localhost -U%
> >> session setup failed: NT_STATUS_INTERNAL_ERROR
> >>
> >> smbclient //localhost/netlogon -UAdministrator -c `ls`
> >> Enter Administrator's password:
> >> session setup failed: NT_STATUS_INTERNAL_ERROR
> >> ------
> >> If you need more info (config, trace, debug, tcpdump etc) I will post it
> >> Please help
> >>
> >> provision script, configs and log are below:
> >>
> >> samba-tool domain provision --server-role=dc --use-rfc2307
> >> --dns-backend=SAMBA_INTERNAL --realm=RONA.LOC --domain=RONA
> >> --adminpass=<mypassword>
> >> ------
> >> cat /etc/debian_version
> >> 9.1
> >> ------
> >> cat /etc/samba/smb.conf
> >> # Global parameters
> >> [global]
> >>        netbios name = SAMBADC
> >>        realm = RONA.LOC
> >>        workgroup = RONA
> >>        dns forwarder = 192.168.19.1
> >>        server role = active directory domain controller
> >>        idmap_ldb:use rfc2307 = yes
> >>        log level = 5
> >>
> >> [netlogon]
> >>        path = /var/lib/samba/sysvol/rona.loc/scripts
> >>        read only = No
> >>
> >> [sysvol]
> >>        path = /var/lib/samba/sysvol
> >>        read only = No
> >> ------
> >> cat /etc/krb5.conf
> >> [libdefaults]
> >>        default_realm = RONA.LOC
> >>        dns_lookup_realm = false
> >>        dns_lookup_kdc = true
> >> ------
> >> cat /etc/resolv.conf
> >> domain rona.loc
> >> nameserver 192.168.19.2
> >> ------
> >> cat /etc/hosts
> >> 127.0.0.1       localhost
> >> ::1             localhost ip6-localhost ip6-loopback
> >> ff02::1         ip6-allnodes
> >> ff02::2         ip6-allrouters
> >> 192.168.19.2    sambadc.rona.loc sambadc
> >> ------
> >> kinit [hidden email]
> >> Password for [hidden email]:
> >> Warning: Your password will expire in 41 days on Tue Sep 19 20:53:26
> 2017
> >> ------
> >> klist
> >> Ticket cache: FILE:/tmp/krb5cc_0
> >> Default principal: [hidden email]
> >>
> >> Valid starting     Expires            Service principal
> >> 08/08/17 23:23:40  08/09/17 09:23:40  krbtgt/[hidden email]
> >>        renew until 08/09/17 23:23:37
> >> ------
> >> log file of the joining windows 7 session:
> >> log.out
> >> (38 ????)
> >>
> >> <https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view=
> att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw>
> >>
> >>
> >> --
> >> Best regards, Vladimir
> >>
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
On Thu, 10 Aug 2017 08:14:33 +0700
Vladimir Frelikh via samba <[hidden email]> wrote:

> > >>
> > >> <https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view=
> > att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw>
> > >>
> > >>
> > >> --
> > >> Best regards, Vladimir

There doesn't seem to be anything really wrong with the conf files you
have posted so far, except (and this is just a nitpick) I would use
'search' instead of 'domain' in /etc/resolv.conf

There also doesn't seem to be anything obvious in the log you posted.

Have you tried asking smbclient to be a bit more verbose ?

smbclient -L localhost -U% -d3

Try this and keep raising the last number until something does pop out
(hopefully)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
Hai,

Im missing at least one of these on the PC.
Primary Dns Suffix  . . . . . . . : 
DNS suffix search list       :

Are you using DHCP server or static ips on the pc.
Thats where this problem is, i dont think its the server (samba) setup.

@Rowland, > smbclient -L localhost -U% -d3
Wont work, due to bug in smbclient thats tries smb1 first ( or something like that )

I suggest test like this, als there also i see a strange reaction.
( see my output of a 3 time running this command on a member server )

(Member)
smbclient -L $(hostname -f) -Uadministrator -m smb2
Enter NTDOM\administrator's password:
Kinit for administrator@REALM to access member1.internal.domain.tld failed: Preauthentication failed
session setup failed: NT_STATUS_LOGON_FAILURE

smbclient -L $(hostname -f) -Uadministrator -m smb2
Enter NTDOM\administrator's password:

        Sharename       Type      Comment
        ---------       ----      -------
        secret-share$       Disk
        IPC$            IPC       IPC Service (Samba 4.6.7-Debian)

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

smbclient -L $(hostname -f) -Uadministrator -m smb2
Enter NTDOM\administrator's password:

        Sharename       Type      Comment
        ---------       ----      -------
        secret-share$   Disk
        IPC$            IPC       IPC Service (Samba 4.6.7-Debian)

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------



on the DC, i see something different, thats ok, in one go.
 
smbclient -L $(hostname -f) -Uadministrator -m smb2
Enter NTDOM\administrator's password:
 
        Sharename       Type      Comment
        ---------       ----      -------
        sysvol          Disk
        netlogon        Disk
        IPC$            IPC       IPC Service (Samba 4.6.6-Debian)
 
        Server               Comment
        ---------            -------
 
        Workgroup            Master
        ---------            -------

Now, since there is a difference in versions, ive upgrade the DC now also to 4.6.7.
But that show the same result.
So small bug in the member version but not that is errors out.



Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: donderdag 10 augustus 2017 11:26
> Aan: [hidden email]
> Onderwerp: Re: [Samba] cannot join windows 7 samba4-ad-dc
> fresh install, get NT_STATUS_INTERNAL_ERROR
>
> On Thu, 10 Aug 2017 08:14:33 +0700
> Vladimir Frelikh via samba <[hidden email]> wrote:
>
> > > >>
> > > >> <https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view=
> > >
> att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw
> > > >
> > > >>
> > > >>
> > > >> --
> > > >> Best regards, Vladimir
>
> There doesn't seem to be anything really wrong with the conf
> files you have posted so far, except (and this is just a
> nitpick) I would use 'search' instead of 'domain' in /etc/resolv.conf
>
> There also doesn't seem to be anything obvious in the log you posted.
>
> Have you tried asking smbclient to be a bit more verbose ?
>
> smbclient -L localhost -U% -d3
>
> Try this and keep raising the last number until something does pop out
> (hopefully)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
On Thu, 10 Aug 2017 11:58:18 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> Hai,
>
> Im missing at least one of these on the PC.
> Primary Dns Suffix  . . . . . . . : 
> DNS suffix search list       :
>
> Are you using DHCP server or static ips on the pc.
> Thats where this problem is, i dont think its the server (samba)
> setup.
>
> @Rowland, > smbclient -L localhost -U% -d3
> Wont work, due to bug in smbclient thats tries smb1 first ( or
> something like that )

Strange, it works for me on a 4.6.0 DC

>
> I suggest test like this, als there also i see a strange reaction.
> ( see my output of a 3 time running this command on a member server )
>
> (Member)
> smbclient -L $(hostname -f) -Uadministrator -m smb2
> Enter NTDOM\administrator's password:
> Kinit for administrator@REALM to access member1.internal.domain.tld
> failed: Preauthentication failed session setup failed:
> NT_STATUS_LOGON_FAILURE

You seem to have problem here, it works first time for me on a Unix
domain member (4.6.5-Debian).

>
> on the DC, i see something different, thats ok, in one go.
>  
> smbclient -L $(hostname -f) -Uadministrator -m smb2
> Enter NTDOM\administrator's password:
>  
>         Sharename       Type      Comment
>         ---------       ----      -------
>         sysvol          Disk
>         netlogon        Disk
>         IPC$            IPC       IPC Service (Samba 4.6.6-Debian)
>  
>         Server               Comment
>         ---------            -------
>  
>         Workgroup            Master
>         ---------            -------
>
> Now, since there is a difference in versions, ive upgrade the DC now
> also to 4.6.7. But that show the same result.
> So small bug in the member version but not that is errors out.

I don't think there is a 'small bug' in the member server, I think it
is probably in your setup :-(

Rowland

>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi,
thanks for your participatioin,

here's the output:

smbclient -L $(hostname -f) -UAdministrator -d3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface eth0 ip=192.168.19.2 bcast=192.168.19.255
netmask=255.255.255.0
Client started (version 4.5.8-Debian).
Enter Administrator's password:
resolve_hosts: Attempting host lookup for name sambadc.rona.loc<0x20>
Connecting to 192.168.19.2 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR

I could raise the log level if this is not enough


--
С уважением, Владимир.

2017-08-10 16:26 GMT+07:00 Rowland Penny via samba <[hidden email]>:

> On Thu, 10 Aug 2017 08:14:33 +0700
> Vladimir Frelikh via samba <[hidden email]> wrote:
>
> > > >>
> > > >> <https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view=
> > > att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw>
> > > >>
> > > >>
> > > >> --
> > > >> Best regards, Vladimir
>
> There doesn't seem to be anything really wrong with the conf files you
> have posted so far, except (and this is just a nitpick) I would use
> 'search' instead of 'domain' in /etc/resolv.conf
>
> There also doesn't seem to be anything obvious in the log you posted.
>
> Have you tried asking smbclient to be a bit more verbose ?
>
> smbclient -L localhost -U% -d3
>
> Try this and keep raising the last number until something does pop out
> (hopefully)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hai,

I've done some testing and i compaired the outputs of a original debian and own package.
Same result, no errors, everything, i did test 4.1.17 4.5.8 4.5.12 4.6.6 and 4.6.7 servers.
Again same result everything ok. uhh. So what happend then...

Now i tested again but typed a wrong password..
And,, yes, it was a typo in my password, .. (oeps) sorry for the noise.
Now bit more testing, all with a wrong password.

A samba 4.5.12 give this output
smbclient -L $(hostname -f) -Uadministrator -msmb2
Enter administrator's password:
session setup failed: NT_STATUS_LOGON_FAILURE

A 4.6.6 however..
smbclient -L $(hostname -f) -Uadministrator -m smb2
NTDOM\administrator's password:
Kinit for administrator@REALM to access member1.internal.domain.tld
failed: Preauthentication failed session setup failed:
NT_STATUS_LOGON_FAILURE


So somewhere in 4.6 the output changed.
And i would expect : NT_STATUS_WRONG_PASSWORD
And not :  NT_STATUS_LOGON_FAILURE

@Rowland..
Pfew, you scarred me. Something wrong in my setup or packages..  
   :-/ your the joker aren't you. :-p  ;-)  


Gr.

Louis
P.s. i dont have a original debian 4.6.5 running so cant test that one.
Ow and -msmb2 or not result is the same.





> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: donderdag 10 augustus 2017 12:23
> Aan: [hidden email]
> Onderwerp: Re: [Samba] cannot join windows 7 samba4-ad-dc
> fresh install, get NT_STATUS_INTERNAL_ERROR
>
> On Thu, 10 Aug 2017 11:58:18 +0200
> "L.P.H. van Belle via samba" <[hidden email]> wrote:
>
> > Hai,
> >
> > Im missing at least one of these on the PC.
> > Primary Dns Suffix  . . . . . . . :
> > DNS suffix search list       :
> >
> > Are you using DHCP server or static ips on the pc.
> > Thats where this problem is, i dont think its the server (samba)
> > setup.
> >
> > @Rowland, > smbclient -L localhost -U% -d3 Wont work, due to bug in
> > smbclient thats tries smb1 first ( or something like that )
>
> Strange, it works for me on a 4.6.0 DC
>
> >
> > I suggest test like this, als there also i see a strange reaction.
> > ( see my output of a 3 time running this command on a
> member server )
> >
> > (Member)
> > smbclient -L $(hostname -f) -Uadministrator -m smb2 Enter
> > NTDOM\administrator's password:
> > Kinit for administrator@REALM to access member1.internal.domain.tld
> > failed: Preauthentication failed session setup failed:
> > NT_STATUS_LOGON_FAILURE
>
> You seem to have problem here, it works first time for me on
> a Unix domain member (4.6.5-Debian).
>
> >
> > on the DC, i see something different, thats ok, in one go.
> >  
> > smbclient -L $(hostname -f) -Uadministrator -m smb2 Enter
> > NTDOM\administrator's password:
> >  
> >         Sharename       Type      Comment
> >         ---------       ----      -------
> >         sysvol          Disk
> >         netlogon        Disk
> >         IPC$            IPC       IPC Service (Samba 4.6.6-Debian)
> >  
> >         Server               Comment
> >         ---------            -------
> >  
> >         Workgroup            Master
> >         ---------            -------
> >
> > Now, since there is a difference in versions, ive upgrade
> the DC now
> > also to 4.6.7. But that show the same result.
> > So small bug in the member version but not that is errors out.
>
> I don't think there is a 'small bug' in the member server, I
> think it is probably in your setup :-(
>
> Rowland
>
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 10 Aug 2017 19:22:58 +0700
Vladimir Frelikh <[hidden email]> wrote:

> Hi,
> thanks for your participatioin,
>

OK, if I compare your output with the one I get (that works)
the differences (with common lines removed) are:

You get:

smbclient -L $(hostname -f) -UAdministrator -d3

Client started (version 4.5.8-Debian).
Enter Administrator's password:

Doing spnego session setup (blob length=96)
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore

Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR

I get:

smbclient -L $(hostname -f) -UAdministrator -d3

Client started (version 4.6.0).

Enter SAMDOM\Administrator's password:

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk      
        sysvol          Disk      
        IPC$            IPC       IPC Service (Samba 4.6.0)
E2BIG: convert_string(UTF-8,CP850): srclen=27 destlen=16 - 'DC1.SAMDOM.EXAMPLE.COM'
Connecting to 192.168.0.2 at port 139
got OID=1.2.840.48018.1.2.2

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

I have libnss_winbind setup on the DC, do you ?

Or to put it another way, what packages did you install ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, 10 Aug 2017 14:37:45 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

>
> @Rowland..
> Pfew, you scarred me. Something wrong in my setup or packages..  
>    :-/ your the joker aren't you. :-p  ;-)  
>

No, As I use your packages on Unix domain members, I don't think there
is anything wrong with them ;-)
But as it works for me and not you, there must be a difference
somewhere.
Also, as you have seen, using a wrong password gives a different error
to what the OP is getting.
 
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hai,

So after review all posts things again.

This is the AD DC, can you show the output of :
systemctl status smbd nmbd winbind samba samba-ad-dc
( yes, one line )

And. To make sure the right things are enabled.
Run this: ( this ONLY for a AD AD samba setup)

systemctl disable smbd nmbd winbind samba
systemctl mask smbd nmbd winbind samba
systemctl stop smbd nmbd winbind samba

systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc

You logs shows:
For example : Kerberos: AS-REQ Administrator@RONA from ipv4:192.168.19.29:49815 for krbtgt/RONA@RONA

And
 Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
https://bugzilla.samba.org/show_bug.cgi?id=7605 


Can you change your resolv.conf to ..
domain rona.loc
search rona.loc
nameserver 192.168.19.2

Yes Rowland, i know... About ... You know, lets not go there.. ( for now ;-) )
but Vladimir, please set this, reboot the server and try again.

Post the result.
I agree with rowland, only the resolv.conf is different compaired most setups.

If the test works,
Can you change your resolv.conf to ..
search rona.loc
nameserver 192.168.19.2

And reboot the server, and try again.  

Whats the diffence between Rowland and me..
I did keep all settings from the debian install.
( thats why i have domain and search, no other reason )

Last, i think this is resolving.
Kerberos: AS-REQ Administrator@RONA should show Kerberos: AS-REQ [hidden email]


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Vladimir Frelikh via samba
> Verzonden: donderdag 10 augustus 2017 14:23
> Aan: Rowland Penny
> CC: [hidden email]
> Onderwerp: Re: [Samba] cannot join windows 7 samba4-ad-dc
> fresh install, get NT_STATUS_INTERNAL_ERROR
>
> Hi,
> thanks for your participatioin,
>
> here's the output:
>
> smbclient -L $(hostname -f) -UAdministrator -d3
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows
> limit (16384)
> Processing section "[global]"
> added interface eth0 ip=192.168.19.2 bcast=192.168.19.255
> netmask=255.255.255.0
> Client started (version 4.5.8-Debian).
> Enter Administrator's password:
> resolve_hosts: Attempting host lookup for name sambadc.rona.loc<0x20>
> Connecting to 192.168.19.2 at port 445
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178@please_ignore
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
> SPNEGO login failed: An internal error occurred.
> session setup failed: NT_STATUS_INTERNAL_ERROR
>
> I could raise the log level if this is not enough
>
>
> --
> ?? ??????????????????, ????????????????.
>
> 2017-08-10 16:26 GMT+07:00 Rowland Penny via samba
> <[hidden email]>:
>
> > On Thu, 10 Aug 2017 08:14:33 +0700
> > Vladimir Frelikh via samba <[hidden email]> wrote:
> >
> > > > >>
> > > > >> <https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view=
> > > >
> att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw>
> > > > >>
> > > > >>
> > > > >> --
> > > > >> Best regards, Vladimir
> >
> > There doesn't seem to be anything really wrong with the
> conf files you
> > have posted so far, except (and this is just a nitpick) I would use
> > 'search' instead of 'domain' in /etc/resolv.conf
> >
> > There also doesn't seem to be anything obvious in the log
> you posted.
> >
> > Have you tried asking smbclient to be a bit more verbose ?
> >
> > smbclient -L localhost -U% -d3
> >
> > Try this and keep raising the last number until something
> does pop out
> > (hopefully)
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
Hi,
I've changed /etc/resolv.conf, rebooted, here is the output:

 cat /etc/resolv.conf
domain rona.loc
search rona.loc
nameserver 192.168.19.2

------
smbclient -L $(hostname -f) -UAdministrator%<password> -d5

INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
Processing section "[global]"
doing parameter netbios name = SAMBADC
doing parameter realm = RONA.LOC
doing parameter workgroup = RONA
doing parameter dns forwarder = 192.168.19.1
doing parameter server role = active directory domain controller
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter log level = 5
pm_process() returned Yes
added interface eth0 ip=192.168.19.2 bcast=192.168.19.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="SAMBADC"
Client started (version 4.5.8-Debian).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'RONA.LOC'
no entry for sambadc.rona.loc#20 found.
resolve_hosts: Attempting host lookup for name sambadc.rona.loc<0x20>
namecache_store: storing 1 address for sambadc.rona.loc#20: 192.168.19.2
Connecting to 192.168.19.2 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 2626560
        SO_RCVBUF = 1061808
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        Could not test socket option SO_SNDTIMEO.
        Could not test socket option SO_RCVTIMEO.
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR



--
С уважением, Владимир.

2017-08-10 20:03 GMT+07:00 L.P.H. van Belle via samba <[hidden email]
>:

> Hai,
>
> So after review all posts things again.
>
> This is the AD DC, can you show the output of :
> systemctl status smbd nmbd winbind samba samba-ad-dc
> ( yes, one line )
>
> And. To make sure the right things are enabled.
> Run this: ( this ONLY for a AD AD samba setup)
>
> systemctl disable smbd nmbd winbind samba
> systemctl mask smbd nmbd winbind samba
> systemctl stop smbd nmbd winbind samba
>
> systemctl unmask samba-ad-dc
> systemctl enable samba-ad-dc
>
> You logs shows:
> For example : Kerberos: AS-REQ Administrator@RONA from ipv4:
> 192.168.19.29:49815 for krbtgt/RONA@RONA
>
> And
>  Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
> https://bugzilla.samba.org/show_bug.cgi?id=7605
>
>
> Can you change your resolv.conf to ..
> domain rona.loc
> search rona.loc
> nameserver 192.168.19.2
>
> Yes Rowland, i know... About ... You know, lets not go there.. ( for now
> ;-) )
> but Vladimir, please set this, reboot the server and try again.
>
> Post the result.
> I agree with rowland, only the resolv.conf is different compaired most
> setups.
>
> If the test works,
> Can you change your resolv.conf to ..
> search rona.loc
> nameserver 192.168.19.2
>
> And reboot the server, and try again.
>
> Whats the diffence between Rowland and me..
> I did keep all settings from the debian install.
> ( thats why i have domain and search, no other reason )
>
> Last, i think this is resolving.
> Kerberos: AS-REQ Administrator@RONA should show Kerberos: AS-REQ
> [hidden email]
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens
> > Vladimir Frelikh via samba
> > Verzonden: donderdag 10 augustus 2017 14:23
> > Aan: Rowland Penny
> > CC: [hidden email]
> > Onderwerp: Re: [Samba] cannot join windows 7 samba4-ad-dc
> > fresh install, get NT_STATUS_INTERNAL_ERROR
> >
> > Hi,
> > thanks for your participatioin,
> >
> > here's the output:
> >
> > smbclient -L $(hostname -f) -UAdministrator -d3
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows
> > limit (16384)
> > Processing section "[global]"
> > added interface eth0 ip=192.168.19.2 bcast=192.168.19.255
> > netmask=255.255.255.0
> > Client started (version 4.5.8-Debian).
> > Enter Administrator's password:
> > resolve_hosts: Attempting host lookup for name sambadc.rona.loc<0x20>
> > Connecting to 192.168.19.2 at port 445
> > Doing spnego session setup (blob length=96)
> > got OID=1.2.840.48018.1.2.2
> > got OID=1.2.840.113554.1.2.2
> > got OID=1.3.6.1.4.1.311.2.2.10
> > got principal=not_defined_in_RFC4178@please_ignore
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x62898215
> > NTLMSSP: Set final flags:
> > Got NTLMSSP neg_flags=0x62088215
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088215
> > SPNEGO login failed: An internal error occurred.
> > session setup failed: NT_STATUS_INTERNAL_ERROR
> >
> > I could raise the log level if this is not enough
> >
> >
> > --
> > ?? ??????????????????, ????????????????.
> >
> > 2017-08-10 16:26 GMT+07:00 Rowland Penny via samba
> > <[hidden email]>:
> >
> > > On Thu, 10 Aug 2017 08:14:33 +0700
> > > Vladimir Frelikh via samba <[hidden email]> wrote:
> > >
> > > > > >>
> > > > > >> <https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view=
> > > > >
> > att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw>
> > > > > >>
> > > > > >>
> > > > > >> --
> > > > > >> Best regards, Vladimir
> > >
> > > There doesn't seem to be anything really wrong with the
> > conf files you
> > > have posted so far, except (and this is just a nitpick) I would use
> > > 'search' instead of 'domain' in /etc/resolv.conf
> > >
> > > There also doesn't seem to be anything obvious in the log
> > you posted.
> > >
> > > Have you tried asking smbclient to be a bit more verbose ?
> > >
> > > smbclient -L localhost -U% -d3
> > >
> > > Try this and keep raising the last number until something
> > does pop out
> > > (hopefully)
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi,

do you need specific ones or can I post the whole bunch here?

`dpkg -l`

--
С уважением, Владимир.

2017-08-10 19:53 GMT+07:00 Rowland Penny via samba <[hidden email]>:

> On Thu, 10 Aug 2017 19:22:58 +0700
> Vladimir Frelikh <[hidden email]> wrote:
>
> > Hi,
> > thanks for your participatioin,
> >
>
> OK, if I compare your output with the one I get (that works)
> the differences (with common lines removed) are:
>
> You get:
>
> smbclient -L $(hostname -f) -UAdministrator -d3
>
> Client started (version 4.5.8-Debian).
> Enter Administrator's password:
>
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178@please_ignore
>
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
> SPNEGO login failed: An internal error occurred.
> session setup failed: NT_STATUS_INTERNAL_ERROR
>
> I get:
>
> smbclient -L $(hostname -f) -UAdministrator -d3
>
> Client started (version 4.6.0).
>
> Enter SAMDOM\Administrator's password:
>
>         Sharename       Type      Comment
>         ---------       ----      -------
>         netlogon        Disk
>         sysvol          Disk
>         IPC$            IPC       IPC Service (Samba 4.6.0)
> E2BIG: convert_string(UTF-8,CP850): srclen=27 destlen=16 - '
> DC1.SAMDOM.EXAMPLE.COM'
> Connecting to 192.168.0.2 at port 139
> got OID=1.2.840.48018.1.2.2
>
>         Server               Comment
>         ---------            -------
>
>         Workgroup            Master
>         ---------            -------
>
> I have libnss_winbind setup on the DC, do you ?
>
> Or to put it another way, what packages did you install ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 2017-08-11 at 08:13 +0700, Vladimir Frelikh via samba wrote:
> Hi,
> I've changed /etc/resolv.conf, rebooted, here is the output:

It won't be that.  If samba has NT_STATUS_INTERNAL_ERROR inside the
server, no change to the client will help.

I suggest turning up the debug level until you get more detail.

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 11 Aug 2017 08:15:09 +0700
Vladimir Frelikh <[hidden email]> wrote:

> Hi,
>
> do you need specific ones or can I post the whole bunch here?
>
> `dpkg -l`
>

No, I am just interested in what specific packages you installed to get
Samba working.

These are the packages I install:

apt-get install samba attr winbind libpam-winbind libpam-krb5
libnss-winbind krb5-config krb5-user ntp dnsutils ldb-tools

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hello, sorry for the delay,
kinit goes fine, here is the output of
klist :

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [hidden email]

Valid starting       Expires              Service principal
15.08.2017 13:36:07  15.08.2017 23:36:07  krbtgt/[hidden email]
        renew until 16.08.2017 13:36:03
------
here's the output of
smbclient -k -L //sambadc.rona.loc -d9 -UAdministrator%password :

INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
  tevent: 9
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
  tevent: 9
Processing section "[global]"
doing parameter netbios name = SAMBADC
doing parameter realm = RONA.LOC
doing parameter workgroup = RONA
doing parameter dns forwarder = 192.168.19.1
doing parameter server role = active directory domain controller
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter log level = 5
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth0 ip=192.168.19.2 bcast=192.168.19.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="SAMBADC"
Client started (version 4.5.8-Debian).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'RONA.LOC'
name sambadc.rona.loc#20 found.
Connecting to 192.168.19.2 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 2626560
        SO_RCVBUF = 1061808
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        Could not test socket option SO_SNDTIMEO.
        Could not test socket option SO_RCVTIMEO.
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/[hidden email]
Kinit for Administrator to access cifs/[hidden email] failed:
Preauthentication failed
SPNEGO login failed: Preauthentication failed
session setup failed: NT_STATUS_LOGON_FAILURE



--
С уважением, Владимир.

2017-08-11 8:39 GMT+07:00 Andrew Bartlett <[hidden email]>:

> On Fri, 2017-08-11 at 08:13 +0700, Vladimir Frelikh via samba wrote:
> > Hi,
> > I've changed /etc/resolv.conf, rebooted, here is the output:
>
> It won't be that.  If samba has NT_STATUS_INTERNAL_ERROR inside the
> server, no change to the client will help.
>
> I suggest turning up the debug level until you get more detail.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
On Tue, 15 Aug 2017 13:40:15 +0700
Vladimir Frelikh via samba <[hidden email]> wrote:

> Hello, sorry for the delay,
> kinit goes fine, here is the output of
> klist :
>
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: [hidden email]
>
> Valid starting       Expires              Service principal
> 15.08.2017 13:36:07  15.08.2017 23:36:07  krbtgt/[hidden email]
>         renew until 16.08.2017 13:36:03
> ------
> here's the output of
> smbclient -k -L //sambadc.rona.loc -d9 -UAdministrator%password :
>
> INFO: Current debug levels:
>   all: 9
>   tdb: 9
>   printdrivers: 9
>   lanman: 9
>   smb: 9
>   rpc_parse: 9
>   rpc_srv: 9
>   rpc_cli: 9
>   passdb: 9
>   sam: 9
>   auth: 9
>   winbind: 9
>   vfs: 9
>   idmap: 9
>   quota: 9
>   acls: 9
>   locking: 9
>   msdfs: 9
>   dmapi: 9
>   registry: 9
>   scavenger: 9
>   dns: 9
>   ldb: 9
>   tevent: 9
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) INFO: Current debug levels:
>   all: 9
>   tdb: 9
>   printdrivers: 9
>   lanman: 9
>   smb: 9
>   rpc_parse: 9
>   rpc_srv: 9
>   rpc_cli: 9
>   passdb: 9
>   sam: 9
>   auth: 9
>   winbind: 9
>   vfs: 9
>   idmap: 9
>   quota: 9
>   acls: 9
>   locking: 9
>   msdfs: 9
>   dmapi: 9
>   registry: 9
>   scavenger: 9
>   dns: 9
>   ldb: 9
>   tevent: 9
> Processing section "[global]"
> doing parameter netbios name = SAMBADC
> doing parameter realm = RONA.LOC
> doing parameter workgroup = RONA
> doing parameter dns forwarder = 192.168.19.1
> doing parameter server role = active directory domain controller
> doing parameter idmap_ldb:use rfc2307 = yes
> doing parameter log level = 5
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> added interface eth0 ip=192.168.19.2 bcast=192.168.19.255
> netmask=255.255.255.0
> Netbios name list:-
> my_netbios_names[0]="SAMBADC"
> Client started (version 4.5.8-Debian).
> Opening cache file at /var/cache/samba/gencache.tdb
> Opening cache file at /var/run/samba/gencache_notrans.tdb
> sitename_fetch: No stored sitename for realm 'RONA.LOC'
> name sambadc.rona.loc#20 found.
> Connecting to 192.168.19.2 at port 445
> Socket options:
>         SO_KEEPALIVE = 0
>         SO_REUSEADDR = 0
>         SO_BROADCAST = 0
>         TCP_NODELAY = 1
>         TCP_KEEPCNT = 9
>         TCP_KEEPIDLE = 7200
>         TCP_KEEPINTVL = 75
>         IPTOS_LOWDELAY = 0
>         IPTOS_THROUGHPUT = 0
>         SO_REUSEPORT = 0
>         SO_SNDBUF = 2626560
>         SO_RCVBUF = 1061808
>         SO_SNDLOWAT = 1
>         SO_RCVLOWAT = 1
>         Could not test socket option SO_SNDTIMEO.
>         Could not test socket option SO_RCVTIMEO.
>         TCP_QUICKACK = 1
>         TCP_DEFER_ACCEPT = 0
>  session request ok
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178@please_ignore
> cli_session_setup_spnego: using target hostname not SPNEGO principal
> cli_session_setup_spnego: guessed server
> principal=cifs/[hidden email]
> Kinit for Administrator to access cifs/[hidden email]
> failed: Preauthentication failed
> SPNEGO login failed: Preauthentication failed
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
>

can you run 'pam-auth-update' in a terminal and then post what PAM
profiles are enabled ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
Ok, a recap here..
 
I've done some extra testing.
 
The output shown below, matches exact with a member server setup, ill show with my tests
You wil see "wrong"  command, thats correct i'll explain in the end.
( smbclient -u is wrong, smbclient -U is correct )

My tests.
... i'll show the parts that are different. ( for these member servers )
 
a samba 4.5.8 original debian package
kinit Administrator
klist
smbclient -L //$(hostname -f) -d9 -k
Doing spnego session setup (blob length=96)
.....
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/[hidden email]
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
Domain=[NTDOM] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian]
 

kdestroy
smbclient -L //$(hostname -f) -d9 -k
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR
 
 
 
smbclient -L //$(hostname -f) -d9 -uAdministrator
Typing the (correct) pass.   ( but -u is wrong so this reflex to NTDOM\root )
 
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
 

( changed -u to -U )
smbclient -L //$(hostname -f) -d9 -UAdministrator
(typeing the pass)
 
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
Domain=[NTODOM] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian]
 
 
 
Now same on a 4.6.7 member the same steps.
kinit Administrator
klist
smbclient -L //$(hostname -f) -d9 -k
 
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/rtd-mem10.internal.domain.tld@REALM
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
Domain=[NTDOM] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian]
 
kdestroy
smbclient -L //$(hostname -f) -d9 -k
 
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/member10.internal.domain.tld@REALM
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR
 
smbclient -L //$(hostname -f) -d9 -uAdministrator 
I now just hit enter, and dont type any password, and above with (wrong -u )
 session request ok
Enter BAZRTD\root's password:
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
Starting GENSEC submechanism ntlmssp
Got challenge flags:
>>>>> .. but  there is more now..
 
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
.........................
result ...   ** NOTICE1
NTLMSSP Sign/Seal - using NTLM1
Anonymous login successful
OS=[Windows 6.1] Server=[Samba 4.6.7-Debian]
 session setup ok
 tconx ok
and a correct output.
** NOTICE1
 
 
Now same on a samba 4.6.7 AD DC. ( dont have any 4.5.8 AD DC's so cant test that atm, this is because i test in a production environment.)
kinit Administrator
klist
smbclient -L //$(hostname -f) -d9 -k
 

 session request ok
got OID=1.2.840.48018.1.2.2
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
OS=[Windows 6.1] Server=[Samba 4.6.7-Debian]
 

kdestroy
smbclient -L //$(hostname -f) -d9 -uAdministrator
( again -u is wrong, reflexs to NTDOM\root )
( typing a wrong password )
 
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR
 
smbclient -L //$(hostname -f) -d9 -UAdministrator
( typing a correct password )
 session request ok
Enter NTDOM\Administrator's password:
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
OS=[Windows 6.1] Server=[Samba 4.6.7-Debian]
 

again
smbclient -L //$(hostname -f) -d9 -UAdministrator
( typing a correct password )
 
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[MEMORY:cliconnect] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
 

is it me or, is the error output inconsistant.
 
I use an incorrect parameter -u. this command should not run at all. 
it should error out with message unknown paramater.
 
I use no password, then DOM\root changed to guest and it works.
( see : ** NOTICE1 )
 
testparm -vs | grep guest
Load smb config files from /etc/samba/smb.conf
Processing section "[share]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
 
        usershare allow guests = No
        guest account = nobody
        map to guest = Never
        guest ok = No
        guest only = No

 

For Vladimer, the server shows.
doing parameter server role = active directory domain controller
 
but the debug output does not show as an AD DC but member server output, at least looks to me it is.
 
his log shows :
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/[hidden email]
 
Until this part, above, that only shows in my tests on the member servers.
 
This is the remainin part of the error.
 
Kinit for Administrator to access cifs/[hidden email] failed: Preauthentication failed
SPNEGO login failed: Preauthentication failed
session setup failed: NT_STATUS_LOGON_FAILURE
 

SPN cifs/hostname.internal.domain.tld@REALM does not show up in my AD DC.
not in :
klist -ke /var/lib/samba/private/secrets.keytab
klist -ke /var/lib/samba/private/dns.keytab
There is no /etc/krb5.keytab on the DC's.
 
where is SPN cifs defined?  ( host/kernel? )
 
On the DC running: 
samba-tool spn list dc1$
does not show SPN/cifs
 
And same on the member.
 
so it still looks its setup for AD DC, due to the provisioning.
But somewhere in the backgroup there are member server settings.
 
I suggest, since both are using new servers, stop samba, cleanup, provision again.
systemctl stop samba-ad-dc
and to be sure :
systemctl stop samba smbd nmbd winbind
systemctl mask samba smbd nmbd winbind
systemctl disable samba smbd nmbd winbind
 
# Backup and cleanup.
cd /var/lib/
cp -R samba{,.backup}
rm samba/*.tdb
 
cd /var/lib/samba
cp -R private{,.backup}
rm private/*.tdb
 
cd /var/cache/samba
rm *.dat
rm *.tdb
 
cp -R /etc/samba{,.backup}
rm /etc/samba/smb.conf
 
HERE YOUR PROVISIONING COMMAND.
 
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc
 
REBOOT THE SERVER !
and check again.

 
Above is the only left i can think off
I think, this might be due to 2 possible problems.
 
Problems with the database/old member settings/leftovers or kerberos problems due to incorrect settings from start.
but i cant detect why i see a member output on the DC ( in his output ), the setup base was wong, resulting in a strange problem.
 
 
Greetz,
 
Louis
 

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hello,
here is the output of

smbclient -k -L //sambadc.rona.loc -d9 -UAdministrator%password

from /var/log/samba.log https://pastebin.com/KrMyL8qJ
maybe it seems to be more informative

--
С уважением, Владимир.

2017-08-11 8:39 GMT+07:00 Andrew Bartlett <[hidden email]>:

> On Fri, 2017-08-11 at 08:13 +0700, Vladimir Frelikh via samba wrote:
> > Hi,
> > I've changed /etc/resolv.conf, rebooted, here is the output:
>
> It won't be that.  If samba has NT_STATUS_INTERNAL_ERROR inside the
> server, no change to the client will help.
>
> I suggest turning up the debug level until you get more detail.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
12
Loading...