samba - Aug 2017 - cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

hi, 

can you post a ipconfig /all from the windows pc also.

a quick look at the server config looks ok to me.

and does smbclient -L $(hostname -f) -U% -m smb2
work. 

greetz,

Louis

> Op 9 aug. 2017 om 17:23 heeft Vladimir Frelikh via samba <samba at
lists.samba.org> het volgende geschreven:
> 
> Sorry forgot to mention samba version and build options:
> 
> samba -b
> Samba version: 4.5.8-Debian
> Build environment:
> Paths:
>   BINDIR: /usr/bin
>   SBINDIR: /usr/sbin
>   CONFIGFILE: /etc/samba/smb.conf
>   NCALRPCDIR: /var/run/samba/ncalrpc
>   LOGFILEBASE: /var/log/samba
>   LMHOSTSFILE: /etc/samba/lmhosts
>   DATADIR: /usr/share
>   MODULESDIR: /usr/lib/i386-linux-gnu/samba
>   LOCKDIR: /var/run/samba
>   STATEDIR: /var/lib/samba
>   CACHEDIR: /var/cache/samba
>   PIDDIR: /var/run/samba
>   PRIVATE_DIR: /var/lib/samba/private
>   CODEPAGEDIR: /usr/share/samba/codepages
>   SETUPDIR: /usr/share/samba/setup
>   WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
>   WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
>   NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
> 
> and the log file is located here:
> 
> https://pastebin.com/SqCUj5xm
> 
> 
> 2017-08-08 23:43 GMT+07:00 Vladimir Frelikh <e285ne at gmail.com>:
> 
>> Hello,
>> I've a problem joining windows 7 samba4 ad
>> I'm doing a completely clean install on debian 9.1
>> When trying to join AD Win 7 gives me "internal error"
>> I also get error on "Verifying the File Server" step of the
>> 
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Acti
>> ve_Directory_Domain_Controller
>> 
>> here's the output:
>> 
>> smbclient -L localhost -U%
>> session setup failed: NT_STATUS_INTERNAL_ERROR
>> 
>> smbclient //localhost/netlogon -UAdministrator -c `ls`
>> Enter Administrator's password:
>> session setup failed: NT_STATUS_INTERNAL_ERROR
>> ------
>> If you need more info (config, trace, debug, tcpdump etc) I will post
it
>> Please help
>> 
>> provision script, configs and log are below:
>> 
>> samba-tool domain provision --server-role=dc --use-rfc2307
>> --dns-backend=SAMBA_INTERNAL --realm=RONA.LOC --domain=RONA
>> --adminpass=<mypassword>
>> ------
>> cat /etc/debian_version
>> 9.1
>> ------
>> cat /etc/samba/smb.conf
>> # Global parameters
>> [global]
>>        netbios name = SAMBADC
>>        realm = RONA.LOC
>>        workgroup = RONA
>>        dns forwarder = 192.168.19.1
>>        server role = active directory domain controller
>>        idmap_ldb:use rfc2307 = yes
>>        log level = 5
>> 
>> [netlogon]
>>        path = /var/lib/samba/sysvol/rona.loc/scripts
>>        read only = No
>> 
>> [sysvol]
>>        path = /var/lib/samba/sysvol
>>        read only = No
>> ------
>> cat /etc/krb5.conf
>> [libdefaults]
>>        default_realm = RONA.LOC
>>        dns_lookup_realm = false
>>        dns_lookup_kdc = true
>> ------
>> cat /etc/resolv.conf
>> domain rona.loc
>> nameserver 192.168.19.2
>> ------
>> cat /etc/hosts
>> 127.0.0.1       localhost
>> ::1             localhost ip6-localhost ip6-loopback
>> ff02::1         ip6-allnodes
>> ff02::2         ip6-allrouters
>> 192.168.19.2    sambadc.rona.loc sambadc
>> ------
>> kinit administrator at RONA.LOC
>> Password for administrator at RONA.LOC:
>> Warning: Your password will expire in 41 days on Tue Sep 19 20:53:26
2017
>> ------
>> klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: administrator at RONA.LOC
>> 
>> Valid starting     Expires            Service principal
>> 08/08/17 23:23:40  08/09/17 09:23:40  krbtgt/RONA.LOC at RONA.LOC
>>        renew until 08/09/17 23:23:37
>> ------
>> log file of the joining windows 7 session:
>> log.out
>> (38 ????)
>> 
>>
<https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view=att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw>
>> 
>> 
>> --
>> Best regards, Vladimir
>> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

hi,

here is the output from win 7 machine, cutted non-us local symbols are
substituted by [cut]:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : testing
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter [cut]:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : [cut] Intel(R) PRO/1000 MT
   Physical Address. . . . . . . . . : 08-00-27-E0-C1-08
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . :
fe80::6085:e816:b3a6:e25c%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.19.29(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.19.1
   DHCPv6 IAID . . . . . . . . . . . : 235405351
   DHCPv6 Client DUID. . . . . . . . :
00-01-00-01-20-EC-BC-5A-08-00-27-E0-C1-08
   DNS Servers . . . . . . . . . . . : 192.168.19.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{84FC8508-AFBB-4080-B7CD-06BC11FC86F0}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : [cut] Microsoft ISATAP
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter [cut] 9:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . :
2001:0:9d38:6ab8:2c17:6c6:3f57:ece2(Preferred)
   Link-local IPv6 Address . . . . . :
fe80::2c17:6c6:3f57:ece2%13(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

------
here is the output of smbclient:

smbclient -L $(hostname -f) -Uadministrator%<password> -m smb2

if I give correct password, it gives me:
session setup failed: NT_STATUS_INTERNAL_ERROR
if I give wrong password (on purpose) it gives me:
session setup failed: NT_STATUS_LOGON_FAILURE

------
here is the output if ip addr of the sambadc.rona.loc host:

ip -f inet addr show eth0
5: eth0 at if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state
UP group default qlen 1000 link-netnsid 0
    inet 192.168.19.2/24 brd 192.168.19.255 scope global eth0
       valid_lft forever preferred_lft forever


--
Best regards, Vladimir

2017-08-10 1:50 GMT+07:00 L.P.H. van Belle via samba <samba at
lists.samba.org>
:
> hi,
>
> can you post a ipconfig /all from the windows pc also.
>
> a quick look at the server config looks ok to me.
>
> and does smbclient -L $(hostname -f) -U% -m smb2
> work.
>
> greetz,
>
> Louis
>
>
> > Op 9 aug. 2017 om 17:23 heeft Vladimir Frelikh via samba <
> samba at lists.samba.org> het volgende geschreven:
> >
> > Sorry forgot to mention samba version and build options:
> >
> > samba -b
> > Samba version: 4.5.8-Debian
> > Build environment:
> > Paths:
> >   BINDIR: /usr/bin
> >   SBINDIR: /usr/sbin
> >   CONFIGFILE: /etc/samba/smb.conf
> >   NCALRPCDIR: /var/run/samba/ncalrpc
> >   LOGFILEBASE: /var/log/samba
> >   LMHOSTSFILE: /etc/samba/lmhosts
> >   DATADIR: /usr/share
> >   MODULESDIR: /usr/lib/i386-linux-gnu/samba
> >   LOCKDIR: /var/run/samba
> >   STATEDIR: /var/lib/samba
> >   CACHEDIR: /var/cache/samba
> >   PIDDIR: /var/run/samba
> >   PRIVATE_DIR: /var/lib/samba/private
> >   CODEPAGEDIR: /usr/share/samba/codepages
> >   SETUPDIR: /usr/share/samba/setup
> >   WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
> >   WINBINDD_PRIVILEGED_SOCKET_DIR: /var/lib/samba/winbindd_privileged
> >   NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
> >
> > and the log file is located here:
> >
> > https://pastebin.com/SqCUj5xm
> >
> >
> > 2017-08-08 23:43 GMT+07:00 Vladimir Frelikh <e285ne at
gmail.com>:
> >
> >> Hello,
> >> I've a problem joining windows 7 samba4 ad
> >> I'm doing a completely clean install on debian 9.1
> >> When trying to join AD Win 7 gives me "internal error"
> >> I also get error on "Verifying the File Server" step of
the
> >>
> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Acti
> >> ve_Directory_Domain_Controller
> >>
> >> here's the output:
> >>
> >> smbclient -L localhost -U%
> >> session setup failed: NT_STATUS_INTERNAL_ERROR
> >>
> >> smbclient //localhost/netlogon -UAdministrator -c `ls`
> >> Enter Administrator's password:
> >> session setup failed: NT_STATUS_INTERNAL_ERROR
> >> ------
> >> If you need more info (config, trace, debug, tcpdump etc) I will
post it
> >> Please help
> >>
> >> provision script, configs and log are below:
> >>
> >> samba-tool domain provision --server-role=dc --use-rfc2307
> >> --dns-backend=SAMBA_INTERNAL --realm=RONA.LOC --domain=RONA
> >> --adminpass=<mypassword>
> >> ------
> >> cat /etc/debian_version
> >> 9.1
> >> ------
> >> cat /etc/samba/smb.conf
> >> # Global parameters
> >> [global]
> >>        netbios name = SAMBADC
> >>        realm = RONA.LOC
> >>        workgroup = RONA
> >>        dns forwarder = 192.168.19.1
> >>        server role = active directory domain controller
> >>        idmap_ldb:use rfc2307 = yes
> >>        log level = 5
> >>
> >> [netlogon]
> >>        path = /var/lib/samba/sysvol/rona.loc/scripts
> >>        read only = No
> >>
> >> [sysvol]
> >>        path = /var/lib/samba/sysvol
> >>        read only = No
> >> ------
> >> cat /etc/krb5.conf
> >> [libdefaults]
> >>        default_realm = RONA.LOC
> >>        dns_lookup_realm = false
> >>        dns_lookup_kdc = true
> >> ------
> >> cat /etc/resolv.conf
> >> domain rona.loc
> >> nameserver 192.168.19.2
> >> ------
> >> cat /etc/hosts
> >> 127.0.0.1       localhost
> >> ::1             localhost ip6-localhost ip6-loopback
> >> ff02::1         ip6-allnodes
> >> ff02::2         ip6-allrouters
> >> 192.168.19.2    sambadc.rona.loc sambadc
> >> ------
> >> kinit administrator at RONA.LOC
> >> Password for administrator at RONA.LOC:
> >> Warning: Your password will expire in 41 days on Tue Sep 19
20:53:26
> 2017
> >> ------
> >> klist
> >> Ticket cache: FILE:/tmp/krb5cc_0
> >> Default principal: administrator at RONA.LOC
> >>
> >> Valid starting     Expires            Service principal
> >> 08/08/17 23:23:40  08/09/17 09:23:40  krbtgt/RONA.LOC at RONA.LOC
> >>        renew until 08/09/17 23:23:37
> >> ------
> >> log file of the joining windows 7 session:
> >> log.out
> >> (38 ????)
> >>
> >>
<https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view>
att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw>
> >>
> >>
> >> --
> >> Best regards, Vladimir
> >>
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Thu, 10 Aug 2017 08:14:33 +0700
Vladimir Frelikh via samba <samba at lists.samba.org> wrote:
> > >>
> > >>
<https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view> >
att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw>
> > >>
> > >>
> > >> --
> > >> Best regards, Vladimir
There doesn't seem to be anything really wrong with the conf files you
have posted so far, except (and this is just a nitpick) I would use
'search' instead of 'domain' in /etc/resolv.conf

There also doesn't seem to be anything obvious in the log you posted.

Have you tried asking smbclient to be a bit more verbose ?

smbclient -L localhost -U% -d3

Try this and keep raising the last number until something does pop out
(hopefully)

Rowland

Hai, 

Im missing at least one of these on the PC. 
Primary Dns Suffix  . . . . . . . : 
DNS suffix search list       : 

Are you using DHCP server or static ips on the pc. 
Thats where this problem is, i dont think its the server (samba) setup. 

@Rowland, > smbclient -L localhost -U% -d3 
Wont work, due to bug in smbclient thats tries smb1 first ( or something like
that )

I suggest test like this, als there also i see a strange reaction. 
( see my output of a 3 time running this command on a member server ) 

(Member)
smbclient -L $(hostname -f) -Uadministrator -m smb2
Enter NTDOM\administrator's password:
Kinit for administrator at REALM to access member1.internal.domain.tld failed:
Preauthentication failed
session setup failed: NT_STATUS_LOGON_FAILURE

smbclient -L $(hostname -f) -Uadministrator -m smb2
Enter NTDOM\administrator's password:

        Sharename       Type      Comment
        ---------       ----      -------
        secret-share$       Disk
        IPC$            IPC       IPC Service (Samba 4.6.7-Debian)

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

smbclient -L $(hostname -f) -Uadministrator -m smb2
Enter NTDOM\administrator's password:

        Sharename       Type      Comment
        ---------       ----      -------
        secret-share$   Disk
        IPC$            IPC       IPC Service (Samba 4.6.7-Debian)

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------



on the DC, i see something different, thats ok, in one go. 
 
smbclient -L $(hostname -f) -Uadministrator -m smb2
Enter NTDOM\administrator's password:
 
        Sharename       Type      Comment
        ---------       ----      -------
        sysvol          Disk
        netlogon        Disk
        IPC$            IPC       IPC Service (Samba 4.6.6-Debian)
 
        Server               Comment
        ---------            -------
 
        Workgroup            Master
        ---------            ------- 

Now, since there is a difference in versions, ive upgrade the DC now also to
4.6.7.
But that show the same result. 
So small bug in the member version but not that is errors out. 



Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: donderdag 10 augustus 2017 11:26
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] cannot join windows 7 samba4-ad-dc 
> fresh install, get NT_STATUS_INTERNAL_ERROR
> 
> On Thu, 10 Aug 2017 08:14:33 +0700
> Vladimir Frelikh via samba <samba at lists.samba.org> wrote:
> 
> > > >>
> > > >>
<https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view> >
>
>
att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw
> > > >
> > > >>
> > > >>
> > > >> --
> > > >> Best regards, Vladimir
> 
> There doesn't seem to be anything really wrong with the conf 
> files you have posted so far, except (and this is just a 
> nitpick) I would use 'search' instead of 'domain' in
/etc/resolv.conf
> 
> There also doesn't seem to be anything obvious in the log you posted.
> 
> Have you tried asking smbclient to be a bit more verbose ?
> 
> smbclient -L localhost -U% -d3
> 
> Try this and keep raising the last number until something does pop out
> (hopefully)
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>