Dear Rowland Strange thing is that I do not receive notification on my email about your answers. Here we run an internal DNS. Samba was configured with Bind 9 as secondary DNS. When I put in domain.local settings, it is because we omit the company name. But the name of my domain ends with .local. I disabled Avahi daemon. When I try to run the command you quoted: smbclient -k -L //srv.domain.local I get the same error: session setup failed: NT_STATUS_INTERNAL_ERROR The command "kinit administrator" works perfectly.
Am 26.07.2016 um 15:01 schrieb Ricardo Pardim Claus:> Dear Rowland > Strange thing is that I do not receive notification on my email about your answers. > > Here we run an internal DNS. Samba was configured with Bind 9 as secondary DNS. > > When I put in domain.local settings, it is because we omit the company name. But the name of my domain ends with .local. > > I disabled Avahi daemon. > > When I try to run the command you quoted: > smbclient -k -L //srv.domain.local > > I get the same error: > session setup failed: NT_STATUS_INTERNAL_ERROR > > The command "kinit administrator" works perfectlyyou should not use .local https://lists.samba.org/archive/samba/2015-January/188062.html i bet /etc/nsswitch.conf is using "mdns4_minimal" before DNS -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20160726/dd99a093/signature.sig>
On 26/07/16 14:01, Ricardo Pardim Claus wrote:> Dear Rowland > Strange thing is that I do not receive notification on my email about your answers.Could be because I only reply to the Samba list.> > Here we run an internal DNS. Samba was configured with Bind 9 as secondary DNS.How have you configured Bind9 on the DC? If you have this line in smb.conf: server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns You are using the internal DNS server (same goes if you do not have the line in smb.conf) If you are using Bind9, keep the line and remove ', dns' from the end.> > When I put in domain.local settings, it is because we omit the company name. But the name of my domain ends with .local. > > I disabled Avahi daemon. > > When I try to run the command you quoted: > smbclient -k -L //srv.domain.local > > I get the same error: > session setup failed: NT_STATUS_INTERNAL_ERROR > > The command "kinit administrator" works perfectly.Where are you running the command? On the DC? If I run the command on one of my DCs without running 'kinit administrator', I get this: root at dc1:~# smbclient -k -L //dc1 session setup failed: NT_STATUS_INTERNAL_ERROR If I then run 'kinit': root at dc1:~# kinit administrator Password for administrator at SAMDOM.EXAMPLE.COM: root at dc1:~# smbclient -k -L //dc1 Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.4.3] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk home Disk data Disk test share IPC$ IPC IPC Service (Samba 4.4.3) Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.4.3] Server Comment --------- ------- Workgroup Master --------- ------- Rowland
This Samba 4 deployment job, is part of a project to replace DC Windows 2008. When we were testing the Samba 4.4.4 at any time we receive this error NT_STATUS_INTERNAL_ERROR. The .local domain is a small network, with approximately 90 computers. When it was set the domain name as empresa.local, the invez of empresa.com.br, the intention was to separate the internal domain of the external field, because when we try to raise the domain as empresa.com.br, DNS began to conflict with the external field, since we have an external domain registered as .com.br. With regard to my domain is .local, I will not be able to follow up the implementation of a DC with Samba 4? About nsswitch.conf, I do not get it right. So I'll post the contents of this file to view. #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss #initgroups: files #hosts: db files nisplus nis dns hosts: files dns myhostname # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus
Yes it wil work fine, if correct configured. But i see you use sssd, and i dont know anything of sssd. Post de debug logs first.. About the .local ( and .lan ) these are reserved names. https://en.wikipedia.org/wiki/.local ++> Microsoft recommendations TechNet article 726016[5] cautioned against using .local: …we do not recommend using unregistered suffixes, such as .local.>> https://technet.microsoft.com/en-us/library/cc726016But if you in a running .local domain DONT CHANGE IT, changeing a domain name is really not recommended. Just keep it in mind for a new setup. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ricardo Pardim > Claus > Verzonden: dinsdag 26 juli 2016 15:37 > Aan: h.reindl at thelounge.net; samba at lists.samba.org > Onderwerp: Re: [Samba] NT_STATUS_INTERNAL_ERROR > > > > > This Samba 4 deployment job, is part of a project to replace > DC Windows 2008. > When we were testing the Samba 4.4.4 at any time we receive this error > NT_STATUS_INTERNAL_ERROR. > The .local domain is a small network, with approximately 90 computers. > When it was set the domain name as empresa.local, the invez of > empresa.com.br, the intention was to separate the internal domain of the > external field, because when we try to raise the domain as empresa.com.br, > DNS began to conflict with the external field, since we have an external > domain registered as .com.br. > With regard to my domain is .local, I will not be able to follow up the > implementation of a DC with Samba 4? > > About nsswitch.conf, I do not get it right. > So I'll post the contents of this file to view. > > #passwd: db files nisplus nis > #shadow: db files nisplus nis > #group: db files nisplus nis > > passwd: files sss > shadow: files sss > group: files sss > #initgroups: files > > #hosts: db files nisplus nis dns > hosts: files dns myhostname > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc: nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files sss > > netgroup: files sss > > publickey: nisplus > > automount: files sss > aliases: files nisplus > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland: I took the "dns" from "server services" line in smb.conf, then restart the Samba service. The commands I have given, is running on the DC Samba Run the command: [root at srv14 ~]# kinit administrator Password for administrator at DOMAIN.LOCAL: [root at srv14 ~]# klist -e Ticket cache: KEYRING:persistent:0:0 Default principal: administrator at DOMAIN.LOCAL Valid starting Expires Service principal 26-07-2016 10:43:48 26-07-2016 20:43:48 krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL renew until 02-08-2016 10:43:46, Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96 [root at srv14 ~]# Louis: I ran the following command to display the results: smbclient -k -L //srv.domain.local -d5 INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 Processing section "[global]" doing parameter interfaces = lo eno16777984 doing parameter netbios name = SRV14 doing parameter realm = DOMAIN.LOCAL doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate doing parameter workgroup = DOMAIN doing parameter server role = active directory domain controller doing parameter comment = doing parameter log file = /var/log/samba/%m.log doing parameter log level = 9 pm_process() returned Yes added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added interface eno16777984 ip=172.16.16.3 bcast=172.16.17.255 netmask=255.255.254.0 Netbios name list:- my_netbios_names[0]="SRV14" Client started (version 4.4.5). Opening cache file at /usr/local/samba/var/cache/gencache.tdb Opening cache file at /usr/local/samba/var/lock/gencache_notrans.tdb sitename_fetch: No stored sitename for DOMAIN.LOCAL name srv13.domain.local#20 found. Connecting to 172.16.16.19 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 87040 SO_RCVBUF = 367360 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 session request ok Doing spnego session setup (blob length=120) got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore cli_session_setup_spnego: using target hostname not SPNEGO principal cli_session_setup_spnego: guessed server principal=cifs/srv13.domain.local at DOMAIN.LOCAL GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were supplied, or the credentials were unavailable or inaccessible.: unknown mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR SPNEGO login failed: An internal error occurred. session setup failed: NT_STATUS_INTERNAL_ERROR
Dear, Does anyone have any idea what may be causing this error? Even I had to leave off Samba, because I believe that due to NT_STATUS_INTERNAL_ERROR error, several desktops are presenting failure credentials when they try to access shares. After I left off Samba, the errors are gone. ------------------- Mensagem original ------------------------------- Assunto: Re: [Samba] NT_STATUS_INTERNAL_ERROR Rowland: I took the "dns" from "server services" line in smb.conf, then restart the Samba service. The commands I have given, is running on the DC Samba Run the command: [root at srv14 ~]# kinit administrator Password for administrator at DOMAIN.LOCAL: [root at srv14 ~]# klist -e Ticket cache: KEYRING:persistent:0:0 Default principal: administrator at DOMAIN.LOCAL Valid starting Expires Service principal 26-07-2016 10:43:48 26-07-2016 20:43:48 krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL renew until 02-08-2016 10:43:46, Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96 [root at srv14 ~]# Louis: I ran the following command to display the results: smbclient -k -L //srv.domain.local -d5 INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 Processing section "[global]" doing parameter interfaces = lo eno16777984 doing parameter netbios name = SRV14 doing parameter realm = DOMAIN.LOCAL doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate doing parameter workgroup = DOMAIN doing parameter server role = active directory domain controller doing parameter comment = doing parameter log file = /var/log/samba/%m.log doing parameter log level = 9 pm_process() returned Yes added interface lo ip=::1 bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added interface eno16777984 ip=172.16.16.3 bcast=172.16.17.255 netmask=255.255.254.0 Netbios name list:- my_netbios_names[0]="SRV14" Client started (version 4.4.5). Opening cache file at /usr/local/samba/var/cache/gencache.tdb Opening cache file at /usr/local/samba/var/lock/gencache_notrans.tdb sitename_fetch: No stored sitename for DOMAIN.LOCAL name srv13.domain.local#20 found. Connecting to 172.16.16.19 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 87040 SO_RCVBUF = 367360 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 session request ok Doing spnego session setup (blob length=120) got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore cli_session_setup_spnego: using target hostname not SPNEGO principal cli_session_setup_spnego: guessed server principal=cifs/srv13.domain.local at DOMAIN.LOCAL GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were supplied, or the credentials were unavailable or inaccessible.: unknown mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR SPNEGO login failed: An internal error occurred. session setup failed: NT_STATUS_INTERNAL_ERROR