Vladimir Frelikh
2017-Aug-11 01:13 UTC
[Samba] cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
Hi, I've changed /etc/resolv.conf, rebooted, here is the output: cat /etc/resolv.conf domain rona.loc search rona.loc nameserver 192.168.19.2 ------ smbclient -L $(hostname -f) -UAdministrator%<password> -d5 INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 Processing section "[global]" doing parameter netbios name = SAMBADC doing parameter realm = RONA.LOC doing parameter workgroup = RONA doing parameter dns forwarder = 192.168.19.1 doing parameter server role = active directory domain controller doing parameter idmap_ldb:use rfc2307 = yes doing parameter log level = 5 pm_process() returned Yes added interface eth0 ip=192.168.19.2 bcast=192.168.19.255 netmask=255.255.255.0 Netbios name list:- my_netbios_names[0]="SAMBADC" Client started (version 4.5.8-Debian). Opening cache file at /var/cache/samba/gencache.tdb Opening cache file at /var/run/samba/gencache_notrans.tdb sitename_fetch: No stored sitename for realm 'RONA.LOC' no entry for sambadc.rona.loc#20 found. resolve_hosts: Attempting host lookup for name sambadc.rona.loc<0x20> namecache_store: storing 1 address for sambadc.rona.loc#20: 192.168.19.2 Connecting to 192.168.19.2 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 2626560 SO_RCVBUF = 1061808 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 Could not test socket option SO_SNDTIMEO. Could not test socket option SO_RCVTIMEO. TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 session request ok Doing spnego session setup (blob length=96) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: An internal error occurred. session setup failed: NT_STATUS_INTERNAL_ERROR -- С уважением, Владимир. 2017-08-10 20:03 GMT+07:00 L.P.H. van Belle via samba <samba at lists.samba.org>:> Hai, > > So after review all posts things again. > > This is the AD DC, can you show the output of : > systemctl status smbd nmbd winbind samba samba-ad-dc > ( yes, one line ) > > And. To make sure the right things are enabled. > Run this: ( this ONLY for a AD AD samba setup) > > systemctl disable smbd nmbd winbind samba > systemctl mask smbd nmbd winbind samba > systemctl stop smbd nmbd winbind samba > > systemctl unmask samba-ad-dc > systemctl enable samba-ad-dc > > You logs shows: > For example : Kerberos: AS-REQ Administrator at RONA from ipv4: > 192.168.19.29:49815 for krbtgt/RONA at RONA > > And > Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() > - NT_STATUS_CONNECTION_DISCONNECTED' > https://bugzilla.samba.org/show_bug.cgi?id=7605 > > > Can you change your resolv.conf to .. > domain rona.loc > search rona.loc > nameserver 192.168.19.2 > > Yes Rowland, i know... About ... You know, lets not go there.. ( for now > ;-) ) > but Vladimir, please set this, reboot the server and try again. > > Post the result. > I agree with rowland, only the resolv.conf is different compaired most > setups. > > If the test works, > Can you change your resolv.conf to .. > search rona.loc > nameserver 192.168.19.2 > > And reboot the server, and try again. > > Whats the diffence between Rowland and me.. > I did keep all settings from the debian install. > ( thats why i have domain and search, no other reason ) > > Last, i think this is resolving. > Kerberos: AS-REQ Administrator at RONA should show Kerberos: AS-REQ > Administrator at RONA.LOC > > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Vladimir Frelikh via samba > > Verzonden: donderdag 10 augustus 2017 14:23 > > Aan: Rowland Penny > > CC: samba at lists.samba.org > > Onderwerp: Re: [Samba] cannot join windows 7 samba4-ad-dc > > fresh install, get NT_STATUS_INTERNAL_ERROR > > > > Hi, > > thanks for your participatioin, > > > > here's the output: > > > > smbclient -L $(hostname -f) -UAdministrator -d3 > > lp_load_ex: refreshing parameters > > Initialising global parameters > > rlimit_max: increasing rlimit_max (1024) to minimum Windows > > limit (16384) > > Processing section "[global]" > > added interface eth0 ip=192.168.19.2 bcast=192.168.19.255 > > netmask=255.255.255.0 > > Client started (version 4.5.8-Debian). > > Enter Administrator's password: > > resolve_hosts: Attempting host lookup for name sambadc.rona.loc<0x20> > > Connecting to 192.168.19.2 at port 445 > > Doing spnego session setup (blob length=96) > > got OID=1.2.840.48018.1.2.2 > > got OID=1.2.840.113554.1.2.2 > > got OID=1.3.6.1.4.1.311.2.2.10 > > got principal=not_defined_in_RFC4178 at please_ignore > > GENSEC backend 'gssapi_spnego' registered > > GENSEC backend 'gssapi_krb5' registered > > GENSEC backend 'gssapi_krb5_sasl' registered > > GENSEC backend 'spnego' registered > > GENSEC backend 'schannel' registered > > GENSEC backend 'naclrpc_as_system' registered > > GENSEC backend 'sasl-EXTERNAL' registered > > GENSEC backend 'ntlmssp' registered > > GENSEC backend 'ntlmssp_resume_ccache' registered > > GENSEC backend 'http_basic' registered > > GENSEC backend 'http_ntlm' registered > > GENSEC backend 'krb5' registered > > GENSEC backend 'fake_gssapi_krb5' registered > > Got challenge flags: > > Got NTLMSSP neg_flags=0x62898215 > > NTLMSSP: Set final flags: > > Got NTLMSSP neg_flags=0x62088215 > > NTLMSSP Sign/Seal - Initialising with flags: > > Got NTLMSSP neg_flags=0x62088215 > > SPNEGO login failed: An internal error occurred. > > session setup failed: NT_STATUS_INTERNAL_ERROR > > > > I could raise the log level if this is not enough > > > > > > -- > > ?? ??????????????????, ????????????????. > > > > 2017-08-10 16:26 GMT+07:00 Rowland Penny via samba > > <samba at lists.samba.org>: > > > > > On Thu, 10 Aug 2017 08:14:33 +0700 > > > Vladimir Frelikh via samba <samba at lists.samba.org> wrote: > > > > > > > > >> > > > > > >> <https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view> > > > > > > att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw> > > > > > >> > > > > > >> > > > > > >> -- > > > > > >> Best regards, Vladimir > > > > > > There doesn't seem to be anything really wrong with the > > conf files you > > > have posted so far, except (and this is just a nitpick) I would use > > > 'search' instead of 'domain' in /etc/resolv.conf > > > > > > There also doesn't seem to be anything obvious in the log > > you posted. > > > > > > Have you tried asking smbclient to be a bit more verbose ? > > > > > > smbclient -L localhost -U% -d3 > > > > > > Try this and keep raising the last number until something > > does pop out > > > (hopefully) > > > > > > Rowland > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Andrew Bartlett
2017-Aug-11 01:39 UTC
[Samba] cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
On Fri, 2017-08-11 at 08:13 +0700, Vladimir Frelikh via samba wrote:> Hi, > I've changed /etc/resolv.conf, rebooted, here is the output:It won't be that. If samba has NT_STATUS_INTERNAL_ERROR inside the server, no change to the client will help. I suggest turning up the debug level until you get more detail. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Vladimir Frelikh
2017-Aug-15 06:40 UTC
[Samba] cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
Hello, sorry for the delay, kinit goes fine, here is the output of klist : Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at RONA.LOC Valid starting Expires Service principal 15.08.2017 13:36:07 15.08.2017 23:36:07 krbtgt/RONA.LOC at RONA.LOC renew until 16.08.2017 13:36:03 ------ here's the output of smbclient -k -L //sambadc.rona.loc -d9 -UAdministrator%password : INFO: Current debug levels: all: 9 tdb: 9 printdrivers: 9 lanman: 9 smb: 9 rpc_parse: 9 rpc_srv: 9 rpc_cli: 9 passdb: 9 sam: 9 auth: 9 winbind: 9 vfs: 9 idmap: 9 quota: 9 acls: 9 locking: 9 msdfs: 9 dmapi: 9 registry: 9 scavenger: 9 dns: 9 ldb: 9 tevent: 9 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 9 tdb: 9 printdrivers: 9 lanman: 9 smb: 9 rpc_parse: 9 rpc_srv: 9 rpc_cli: 9 passdb: 9 sam: 9 auth: 9 winbind: 9 vfs: 9 idmap: 9 quota: 9 acls: 9 locking: 9 msdfs: 9 dmapi: 9 registry: 9 scavenger: 9 dns: 9 ldb: 9 tevent: 9 Processing section "[global]" doing parameter netbios name = SAMBADC doing parameter realm = RONA.LOC doing parameter workgroup = RONA doing parameter dns forwarder = 192.168.19.1 doing parameter server role = active directory domain controller doing parameter idmap_ldb:use rfc2307 = yes doing parameter log level = 5 pm_process() returned Yes lp_servicenumber: couldn't find homes added interface eth0 ip=192.168.19.2 bcast=192.168.19.255 netmask=255.255.255.0 Netbios name list:- my_netbios_names[0]="SAMBADC" Client started (version 4.5.8-Debian). Opening cache file at /var/cache/samba/gencache.tdb Opening cache file at /var/run/samba/gencache_notrans.tdb sitename_fetch: No stored sitename for realm 'RONA.LOC' name sambadc.rona.loc#20 found. Connecting to 192.168.19.2 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 2626560 SO_RCVBUF = 1061808 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 Could not test socket option SO_SNDTIMEO. Could not test socket option SO_RCVTIMEO. TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 session request ok Doing spnego session setup (blob length=96) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore cli_session_setup_spnego: using target hostname not SPNEGO principal cli_session_setup_spnego: guessed server principal=cifs/sambadc.rona.loc at RONA.LOC Kinit for Administrator to access cifs/sambadc.rona.loc at RONA.LOC failed: Preauthentication failed SPNEGO login failed: Preauthentication failed session setup failed: NT_STATUS_LOGON_FAILURE -- С уважением, Владимир. 2017-08-11 8:39 GMT+07:00 Andrew Bartlett <abartlet at samba.org>:> On Fri, 2017-08-11 at 08:13 +0700, Vladimir Frelikh via samba wrote: > > Hi, > > I've changed /etc/resolv.conf, rebooted, here is the output: > > It won't be that. If samba has NT_STATUS_INTERNAL_ERROR inside the > server, no change to the client will help. > > I suggest turning up the debug level until you get more detail. > > Andrew Bartlett > > -- > Andrew Bartlett > https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Development and Support, Catalyst IT > https://catalyst.net.nz/services/samba > > > > >
L.P.H. van Belle
2017-Aug-15 09:39 UTC
[Samba] cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
Ok, a recap here.. I've done some extra testing. The output shown below, matches exact with a member server setup, ill show with my tests You wil see "wrong" command, thats correct i'll explain in the end. ( smbclient -u is wrong, smbclient -U is correct ) My tests. ... i'll show the parts that are different. ( for these member servers ) a samba 4.5.8 original debian package kinit Administrator klist smbclient -L //$(hostname -f) -d9 -k Doing spnego session setup (blob length=96) ..... got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore cli_session_setup_spnego: using target hostname not SPNEGO principal cli_session_setup_spnego: guessed server principal=cifs/rtd-mem10.rotterdam.bazuin.nl at ROTTERDAM.BAZUIN.NL Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 Domain=[NTDOM] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian] kdestroy smbclient -L //$(hostname -f) -d9 -k Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR SPNEGO login failed: An internal error occurred. session setup failed: NT_STATUS_INTERNAL_ERROR smbclient -L //$(hostname -f) -d9 -uAdministrator Typing the (correct) pass. ( but -u is wrong so this reflex to NTDOM\root ) GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE ( changed -u to -U ) smbclient -L //$(hostname -f) -d9 -UAdministrator (typeing the pass) Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH Domain=[NTODOM] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian] Now same on a 4.6.7 member the same steps. kinit Administrator klist smbclient -L //$(hostname -f) -d9 -k Doing spnego session setup (blob length=96) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore cli_session_setup_spnego: using target hostname not SPNEGO principal cli_session_setup_spnego: guessed server principal=cifs/rtd-mem10.internal.domain.tld at REALM Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 Domain=[NTDOM] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian] kdestroy smbclient -L //$(hostname -f) -d9 -k Doing spnego session setup (blob length=96) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore cli_session_setup_spnego: using target hostname not SPNEGO principal cli_session_setup_spnego: guessed server principal=cifs/member10.internal.domain.tld at REALM GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR SPNEGO login failed: An internal error occurred. session setup failed: NT_STATUS_INTERNAL_ERROR smbclient -L //$(hostname -f) -d9 -uAdministrator I now just hit enter, and dont type any password, and above with (wrong -u ) session request ok Enter BAZRTD\root's password: got OID=1.2.840.48018.1.2.2 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR Starting GENSEC submechanism ntlmssp Got challenge flags:>>>>> .. but there is more now..NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: Logon failure Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp Got challenge flags: ......................... result ... ** NOTICE1 NTLMSSP Sign/Seal - using NTLM1 Anonymous login successful OS=[Windows 6.1] Server=[Samba 4.6.7-Debian] session setup ok tconx ok and a correct output. ** NOTICE1 Now same on a samba 4.6.7 AD DC. ( dont have any 4.5.8 AD DC's so cant test that atm, this is because i test in a production environment.) kinit Administrator klist smbclient -L //$(hostname -f) -d9 -k session request ok got OID=1.2.840.48018.1.2.2 Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 OS=[Windows 6.1] Server=[Samba 4.6.7-Debian] kdestroy smbclient -L //$(hostname -f) -d9 -uAdministrator ( again -u is wrong, reflexs to NTDOM\root ) ( typing a wrong password ) Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT SPNEGO login failed: An internal error occurred. session setup failed: NT_STATUS_INTERNAL_ERROR smbclient -L //$(hostname -f) -d9 -UAdministrator ( typing a correct password ) session request ok Enter NTDOM\Administrator's password: got OID=1.2.840.48018.1.2.2 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 OS=[Windows 6.1] Server=[Samba 4.6.7-Debian] again smbclient -L //$(hostname -f) -d9 -UAdministrator ( typing a correct password ) Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 smb_gss_krb5_import_cred ccache[MEMORY:cliconnect] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR Starting GENSEC submechanism ntlmssp Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE is it me or, is the error output inconsistant. I use an incorrect parameter -u. this command should not run at all. it should error out with message unknown paramater. I use no password, then DOM\root changed to guest and it works. ( see : ** NOTICE1 ) testparm -vs | grep guest Load smb config files from /etc/samba/smb.conf Processing section "[share]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER usershare allow guests = No guest account = nobody map to guest = Never guest ok = No guest only = No For Vladimer, the server shows. doing parameter server role = active directory domain controller but the debug output does not show as an AD DC but member server output, at least looks to me it is. his log shows : Doing spnego session setup (blob length=96) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore cli_session_setup_spnego: using target hostname not SPNEGO principal cli_session_setup_spnego: guessed server principal=cifs/sambadc.rona.loc at RONA.LOC Until this part, above, that only shows in my tests on the member servers. This is the remainin part of the error. Kinit for Administrator to access cifs/sambadc.rona.loc at RONA.LOC failed: Preauthentication failed SPNEGO login failed: Preauthentication failed session setup failed: NT_STATUS_LOGON_FAILURE SPN cifs/hostname.internal.domain.tld at REALM does not show up in my AD DC. not in : klist -ke /var/lib/samba/private/secrets.keytab klist -ke /var/lib/samba/private/dns.keytab There is no /etc/krb5.keytab on the DC's. where is SPN cifs defined? ( host/kernel? ) On the DC running: samba-tool spn list dc1$ does not show SPN/cifs And same on the member. so it still looks its setup for AD DC, due to the provisioning. But somewhere in the backgroup there are member server settings. I suggest, since both are using new servers, stop samba, cleanup, provision again. systemctl stop samba-ad-dc and to be sure : systemctl stop samba smbd nmbd winbind systemctl mask samba smbd nmbd winbind systemctl disable samba smbd nmbd winbind # Backup and cleanup. cd /var/lib/ cp -R samba{,.backup} rm samba/*.tdb cd /var/lib/samba cp -R private{,.backup} rm private/*.tdb cd /var/cache/samba rm *.dat rm *.tdb cp -R /etc/samba{,.backup} rm /etc/samba/smb.conf HERE YOUR PROVISIONING COMMAND. systemctl unmask samba-ad-dc systemctl enable samba-ad-dc systemctl start samba-ad-dc REBOOT THE SERVER ! and check again. Above is the only left i can think off I think, this might be due to 2 possible problems. Problems with the database/old member settings/leftovers or kerberos problems due to incorrect settings from start. but i cant detect why i see a member output on the DC ( in his output ), the setup base was wong, resulting in a strange problem. Greetz, Louis
Vladimir Frelikh
2017-Aug-16 00:31 UTC
[Samba] cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
Hello, here is the output of smbclient -k -L //sambadc.rona.loc -d9 -UAdministrator%password from /var/log/samba.log https://pastebin.com/KrMyL8qJ maybe it seems to be more informative -- С уважением, Владимир. 2017-08-11 8:39 GMT+07:00 Andrew Bartlett <abartlet at samba.org>:> On Fri, 2017-08-11 at 08:13 +0700, Vladimir Frelikh via samba wrote: > > Hi, > > I've changed /etc/resolv.conf, rebooted, here is the output: > > It won't be that. If samba has NT_STATUS_INTERNAL_ERROR inside the > server, no change to the client will help. > > I suggest turning up the debug level until you get more detail. > > Andrew Bartlett > > -- > Andrew Bartlett > https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Development and Support, Catalyst IT > https://catalyst.net.nz/services/samba > > > > >
Possibly Parallel Threads
- cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
- cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
- cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
- cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
- cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR