Rowland Penny
2017-Aug-10 09:26 UTC
[Samba] cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
On Thu, 10 Aug 2017 08:14:33 +0700 Vladimir Frelikh via samba <samba at lists.samba.org> wrote:> > >> > > >> <https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view> > att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw> > > >> > > >> > > >> -- > > >> Best regards, VladimirThere doesn't seem to be anything really wrong with the conf files you have posted so far, except (and this is just a nitpick) I would use 'search' instead of 'domain' in /etc/resolv.conf There also doesn't seem to be anything obvious in the log you posted. Have you tried asking smbclient to be a bit more verbose ? smbclient -L localhost -U% -d3 Try this and keep raising the last number until something does pop out (hopefully) Rowland
Vladimir Frelikh
2017-Aug-10 12:22 UTC
[Samba] cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
Hi, thanks for your participatioin, here's the output: smbclient -L $(hostname -f) -UAdministrator -d3 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" added interface eth0 ip=192.168.19.2 bcast=192.168.19.255 netmask=255.255.255.0 Client started (version 4.5.8-Debian). Enter Administrator's password: resolve_hosts: Attempting host lookup for name sambadc.rona.loc<0x20> Connecting to 192.168.19.2 at port 445 Doing spnego session setup (blob length=96) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 SPNEGO login failed: An internal error occurred. session setup failed: NT_STATUS_INTERNAL_ERROR I could raise the log level if this is not enough -- С уважением, Владимир. 2017-08-10 16:26 GMT+07:00 Rowland Penny via samba <samba at lists.samba.org>:> On Thu, 10 Aug 2017 08:14:33 +0700 > Vladimir Frelikh via samba <samba at lists.samba.org> wrote: > > > > >> > > > >> <https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view> > > att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw> > > > >> > > > >> > > > >> -- > > > >> Best regards, Vladimir > > There doesn't seem to be anything really wrong with the conf files you > have posted so far, except (and this is just a nitpick) I would use > 'search' instead of 'domain' in /etc/resolv.conf > > There also doesn't seem to be anything obvious in the log you posted. > > Have you tried asking smbclient to be a bit more verbose ? > > smbclient -L localhost -U% -d3 > > Try this and keep raising the last number until something does pop out > (hopefully) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2017-Aug-10 12:53 UTC
[Samba] cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
On Thu, 10 Aug 2017 19:22:58 +0700 Vladimir Frelikh <e285ne at gmail.com> wrote:> Hi, > thanks for your participatioin, >OK, if I compare your output with the one I get (that works) the differences (with common lines removed) are: You get: smbclient -L $(hostname -f) -UAdministrator -d3 Client started (version 4.5.8-Debian). Enter Administrator's password: Doing spnego session setup (blob length=96) got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 SPNEGO login failed: An internal error occurred. session setup failed: NT_STATUS_INTERNAL_ERROR I get: smbclient -L $(hostname -f) -UAdministrator -d3 Client started (version 4.6.0). Enter SAMDOM\Administrator's password: Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.6.0) E2BIG: convert_string(UTF-8,CP850): srclen=27 destlen=16 - 'DC1.SAMDOM.EXAMPLE.COM' Connecting to 192.168.0.2 at port 139 got OID=1.2.840.48018.1.2.2 Server Comment --------- ------- Workgroup Master --------- ------- I have libnss_winbind setup on the DC, do you ? Or to put it another way, what packages did you install ? Rowland
L.P.H. van Belle
2017-Aug-10 13:03 UTC
[Samba] cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
Hai, So after review all posts things again. This is the AD DC, can you show the output of : systemctl status smbd nmbd winbind samba samba-ad-dc ( yes, one line ) And. To make sure the right things are enabled. Run this: ( this ONLY for a AD AD samba setup) systemctl disable smbd nmbd winbind samba systemctl mask smbd nmbd winbind samba systemctl stop smbd nmbd winbind samba systemctl unmask samba-ad-dc systemctl enable samba-ad-dc You logs shows: For example : Kerberos: AS-REQ Administrator at RONA from ipv4:192.168.19.29:49815 for krbtgt/RONA at RONA And Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' https://bugzilla.samba.org/show_bug.cgi?id=7605 Can you change your resolv.conf to .. domain rona.loc search rona.loc nameserver 192.168.19.2 Yes Rowland, i know... About ... You know, lets not go there.. ( for now ;-) ) but Vladimir, please set this, reboot the server and try again. Post the result. I agree with rowland, only the resolv.conf is different compaired most setups. If the test works, Can you change your resolv.conf to .. search rona.loc nameserver 192.168.19.2 And reboot the server, and try again. Whats the diffence between Rowland and me.. I did keep all settings from the debian install. ( thats why i have domain and search, no other reason ) Last, i think this is resolving. Kerberos: AS-REQ Administrator at RONA should show Kerberos: AS-REQ Administrator at RONA.LOC Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Vladimir Frelikh via samba > Verzonden: donderdag 10 augustus 2017 14:23 > Aan: Rowland Penny > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] cannot join windows 7 samba4-ad-dc > fresh install, get NT_STATUS_INTERNAL_ERROR > > Hi, > thanks for your participatioin, > > here's the output: > > smbclient -L $(hostname -f) -UAdministrator -d3 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows > limit (16384) > Processing section "[global]" > added interface eth0 ip=192.168.19.2 bcast=192.168.19.255 > netmask=255.255.255.0 > Client started (version 4.5.8-Debian). > Enter Administrator's password: > resolve_hosts: Attempting host lookup for name sambadc.rona.loc<0x20> > Connecting to 192.168.19.2 at port 445 > Doing spnego session setup (blob length=96) > got OID=1.2.840.48018.1.2.2 > got OID=1.2.840.113554.1.2.2 > got OID=1.3.6.1.4.1.311.2.2.10 > got principal=not_defined_in_RFC4178 at please_ignore > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Got challenge flags: > Got NTLMSSP neg_flags=0x62898215 > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088215 > SPNEGO login failed: An internal error occurred. > session setup failed: NT_STATUS_INTERNAL_ERROR > > I could raise the log level if this is not enough > > > -- > ?? ??????????????????, ????????????????. > > 2017-08-10 16:26 GMT+07:00 Rowland Penny via samba > <samba at lists.samba.org>: > > > On Thu, 10 Aug 2017 08:14:33 +0700 > > Vladimir Frelikh via samba <samba at lists.samba.org> wrote: > > > > > > >> > > > > >> <https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view> > > > > att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw> > > > > >> > > > > >> > > > > >> -- > > > > >> Best regards, Vladimir > > > > There doesn't seem to be anything really wrong with the > conf files you > > have posted so far, except (and this is just a nitpick) I would use > > 'search' instead of 'domain' in /etc/resolv.conf > > > > There also doesn't seem to be anything obvious in the log > you posted. > > > > Have you tried asking smbclient to be a bit more verbose ? > > > > smbclient -L localhost -U% -d3 > > > > Try this and keep raising the last number until something > does pop out > > (hopefully) > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Vladimir Frelikh
2017-Aug-11 01:13 UTC
[Samba] cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
Hi,
I've changed /etc/resolv.conf, rebooted, here is the output:
cat /etc/resolv.conf
domain rona.loc
search rona.loc
nameserver 192.168.19.2
------
smbclient -L $(hostname -f) -UAdministrator%<password> -d5
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
Processing section "[global]"
doing parameter netbios name = SAMBADC
doing parameter realm = RONA.LOC
doing parameter workgroup = RONA
doing parameter dns forwarder = 192.168.19.1
doing parameter server role = active directory domain controller
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter log level = 5
pm_process() returned Yes
added interface eth0 ip=192.168.19.2 bcast=192.168.19.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="SAMBADC"
Client started (version 4.5.8-Debian).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'RONA.LOC'
no entry for sambadc.rona.loc#20 found.
resolve_hosts: Attempting host lookup for name sambadc.rona.loc<0x20>
namecache_store: storing 1 address for sambadc.rona.loc#20: 192.168.19.2
Connecting to 192.168.19.2 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 1061808
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
Could not test socket option SO_SNDTIMEO.
Could not test socket option SO_RCVTIMEO.
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR
--
С уважением, Владимир.
2017-08-10 20:03 GMT+07:00 L.P.H. van Belle via samba <samba at
lists.samba.org>:
> Hai,
>
> So after review all posts things again.
>
> This is the AD DC, can you show the output of :
> systemctl status smbd nmbd winbind samba samba-ad-dc
> ( yes, one line )
>
> And. To make sure the right things are enabled.
> Run this: ( this ONLY for a AD AD samba setup)
>
> systemctl disable smbd nmbd winbind samba
> systemctl mask smbd nmbd winbind samba
> systemctl stop smbd nmbd winbind samba
>
> systemctl unmask samba-ad-dc
> systemctl enable samba-ad-dc
>
> You logs shows:
> For example : Kerberos: AS-REQ Administrator at RONA from ipv4:
> 192.168.19.29:49815 for krbtgt/RONA at RONA
>
> And
> Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
> https://bugzilla.samba.org/show_bug.cgi?id=7605
>
>
> Can you change your resolv.conf to ..
> domain rona.loc
> search rona.loc
> nameserver 192.168.19.2
>
> Yes Rowland, i know... About ... You know, lets not go there.. ( for now
> ;-) )
> but Vladimir, please set this, reboot the server and try again.
>
> Post the result.
> I agree with rowland, only the resolv.conf is different compaired most
> setups.
>
> If the test works,
> Can you change your resolv.conf to ..
> search rona.loc
> nameserver 192.168.19.2
>
> And reboot the server, and try again.
>
> Whats the diffence between Rowland and me..
> I did keep all settings from the debian install.
> ( thats why i have domain and search, no other reason )
>
> Last, i think this is resolving.
> Kerberos: AS-REQ Administrator at RONA should show Kerberos: AS-REQ
> Administrator at RONA.LOC
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Vladimir Frelikh via samba
> > Verzonden: donderdag 10 augustus 2017 14:23
> > Aan: Rowland Penny
> > CC: samba at lists.samba.org
> > Onderwerp: Re: [Samba] cannot join windows 7 samba4-ad-dc
> > fresh install, get NT_STATUS_INTERNAL_ERROR
> >
> > Hi,
> > thanks for your participatioin,
> >
> > here's the output:
> >
> > smbclient -L $(hostname -f) -UAdministrator -d3
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows
> > limit (16384)
> > Processing section "[global]"
> > added interface eth0 ip=192.168.19.2 bcast=192.168.19.255
> > netmask=255.255.255.0
> > Client started (version 4.5.8-Debian).
> > Enter Administrator's password:
> > resolve_hosts: Attempting host lookup for name
sambadc.rona.loc<0x20>
> > Connecting to 192.168.19.2 at port 445
> > Doing spnego session setup (blob length=96)
> > got OID=1.2.840.48018.1.2.2
> > got OID=1.2.840.113554.1.2.2
> > got OID=1.3.6.1.4.1.311.2.2.10
> > got principal=not_defined_in_RFC4178 at please_ignore
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x62898215
> > NTLMSSP: Set final flags:
> > Got NTLMSSP neg_flags=0x62088215
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088215
> > SPNEGO login failed: An internal error occurred.
> > session setup failed: NT_STATUS_INTERNAL_ERROR
> >
> > I could raise the log level if this is not enough
> >
> >
> > --
> > ?? ??????????????????, ????????????????.
> >
> > 2017-08-10 16:26 GMT+07:00 Rowland Penny via samba
> > <samba at lists.samba.org>:
> >
> > > On Thu, 10 Aug 2017 08:14:33 +0700
> > > Vladimir Frelikh via samba <samba at lists.samba.org>
wrote:
> > >
> > > > > >>
> > > > > >>
<https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view> >
> > >
> >
att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw>
> > > > > >>
> > > > > >>
> > > > > >> --
> > > > > >> Best regards, Vladimir
> > >
> > > There doesn't seem to be anything really wrong with the
> > conf files you
> > > have posted so far, except (and this is just a nitpick) I would
use
> > > 'search' instead of 'domain' in /etc/resolv.conf
> > >
> > > There also doesn't seem to be anything obvious in the log
> > you posted.
> > >
> > > Have you tried asking smbclient to be a bit more verbose ?
> > >
> > > smbclient -L localhost -U% -d3
> > >
> > > Try this and keep raising the last number until something
> > does pop out
> > > (hopefully)
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Seemingly Similar Threads
- cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
- Samba AD member lost domain join after reboot
- DRS Replication between two DC's Failing
- Samba v3 works with LDAP, but not Samba v4
- Intermittent failure of net ads join command with error "The transport connection is now disconnected"