samba - Aug 2017 - cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Hi,
I've changed /etc/resolv.conf, rebooted, here is the output:

 cat /etc/resolv.conf
domain rona.loc
search rona.loc
nameserver 192.168.19.2

------
smbclient -L $(hostname -f) -UAdministrator%<password> -d5

INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
Processing section "[global]"
doing parameter netbios name = SAMBADC
doing parameter realm = RONA.LOC
doing parameter workgroup = RONA
doing parameter dns forwarder = 192.168.19.1
doing parameter server role = active directory domain controller
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter log level = 5
pm_process() returned Yes
added interface eth0 ip=192.168.19.2 bcast=192.168.19.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="SAMBADC"
Client started (version 4.5.8-Debian).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'RONA.LOC'
no entry for sambadc.rona.loc#20 found.
resolve_hosts: Attempting host lookup for name sambadc.rona.loc<0x20>
namecache_store: storing 1 address for sambadc.rona.loc#20: 192.168.19.2
Connecting to 192.168.19.2 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 2626560
        SO_RCVBUF = 1061808
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        Could not test socket option SO_SNDTIMEO.
        Could not test socket option SO_RCVTIMEO.
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR



--
С уважением, Владимир.

2017-08-10 20:03 GMT+07:00 L.P.H. van Belle via samba <samba at
lists.samba.org
>:
> Hai,
>
> So after review all posts things again.
>
> This is the AD DC, can you show the output of :
> systemctl status smbd nmbd winbind samba samba-ad-dc
> ( yes, one line )
>
> And. To make sure the right things are enabled.
> Run this: ( this ONLY for a AD AD samba setup)
>
> systemctl disable smbd nmbd winbind samba
> systemctl mask smbd nmbd winbind samba
> systemctl stop smbd nmbd winbind samba
>
> systemctl unmask samba-ad-dc
> systemctl enable samba-ad-dc
>
> You logs shows:
> For example : Kerberos: AS-REQ Administrator at RONA from ipv4:
> 192.168.19.29:49815 for krbtgt/RONA at RONA
>
> And
>  Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
> https://bugzilla.samba.org/show_bug.cgi?id=7605
>
>
> Can you change your resolv.conf to ..
> domain rona.loc
> search rona.loc
> nameserver 192.168.19.2
>
> Yes Rowland, i know... About ... You know, lets not go there.. ( for now
> ;-) )
> but Vladimir, please set this, reboot the server and try again.
>
> Post the result.
> I agree with rowland, only the resolv.conf is different compaired most
> setups.
>
> If the test works,
> Can you change your resolv.conf to ..
> search rona.loc
> nameserver 192.168.19.2
>
> And reboot the server, and try again.
>
> Whats the diffence between Rowland and me..
> I did keep all settings from the debian install.
> ( thats why i have domain and search, no other reason )
>
> Last, i think this is resolving.
> Kerberos: AS-REQ Administrator at RONA should show Kerberos: AS-REQ
> Administrator at RONA.LOC
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Vladimir Frelikh via samba
> > Verzonden: donderdag 10 augustus 2017 14:23
> > Aan: Rowland Penny
> > CC: samba at lists.samba.org
> > Onderwerp: Re: [Samba] cannot join windows 7 samba4-ad-dc
> > fresh install, get NT_STATUS_INTERNAL_ERROR
> >
> > Hi,
> > thanks for your participatioin,
> >
> > here's the output:
> >
> > smbclient -L $(hostname -f) -UAdministrator -d3
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows
> > limit (16384)
> > Processing section "[global]"
> > added interface eth0 ip=192.168.19.2 bcast=192.168.19.255
> > netmask=255.255.255.0
> > Client started (version 4.5.8-Debian).
> > Enter Administrator's password:
> > resolve_hosts: Attempting host lookup for name
sambadc.rona.loc<0x20>
> > Connecting to 192.168.19.2 at port 445
> > Doing spnego session setup (blob length=96)
> > got OID=1.2.840.48018.1.2.2
> > got OID=1.2.840.113554.1.2.2
> > got OID=1.3.6.1.4.1.311.2.2.10
> > got principal=not_defined_in_RFC4178 at please_ignore
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x62898215
> > NTLMSSP: Set final flags:
> > Got NTLMSSP neg_flags=0x62088215
> > NTLMSSP Sign/Seal - Initialising with flags:
> > Got NTLMSSP neg_flags=0x62088215
> > SPNEGO login failed: An internal error occurred.
> > session setup failed: NT_STATUS_INTERNAL_ERROR
> >
> > I could raise the log level if this is not enough
> >
> >
> > --
> > ?? ??????????????????, ????????????????.
> >
> > 2017-08-10 16:26 GMT+07:00 Rowland Penny via samba
> > <samba at lists.samba.org>:
> >
> > > On Thu, 10 Aug 2017 08:14:33 +0700
> > > Vladimir Frelikh via samba <samba at lists.samba.org>
wrote:
> > >
> > > > > >>
> > > > > >>
<https://mail.google.com/mail/u/0/?ui=2&ik=7f6f030913&view> >
> > >
> >
att&th=15dc2ba7d7a63129&attid=0.1&disp=safe&realattid=f_j63tfts50&zw>
> > > > > >>
> > > > > >>
> > > > > >> --
> > > > > >> Best regards, Vladimir
> > >
> > > There doesn't seem to be anything really wrong with the
> > conf files you
> > > have posted so far, except (and this is just a nitpick) I would
use
> > > 'search' instead of 'domain' in /etc/resolv.conf
> > >
> > > There also doesn't seem to be anything obvious in the log
> > you posted.
> > >
> > > Have you tried asking smbclient to be a bit more verbose ?
> > >
> > > smbclient -L localhost -U% -d3
> > >
> > > Try this and keep raising the last number until something
> > does pop out
> > > (hopefully)
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Fri, 2017-08-11 at 08:13 +0700, Vladimir Frelikh via samba
wrote:
> Hi,
> I've changed /etc/resolv.conf, rebooted, here is the output:
It won't be that.  If samba has NT_STATUS_INTERNAL_ERROR inside the
server, no change to the client will help. 

I suggest turning up the debug level until you get more detail. 

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

Hello, sorry for the delay,
kinit goes fine, here is the output of
klist :

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at RONA.LOC

Valid starting       Expires              Service principal
15.08.2017 13:36:07  15.08.2017 23:36:07  krbtgt/RONA.LOC at RONA.LOC
        renew until 16.08.2017 13:36:03
------
here's the output of
smbclient -k -L //sambadc.rona.loc -d9 -UAdministrator%password :

INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
  tevent: 9
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
  tevent: 9
Processing section "[global]"
doing parameter netbios name = SAMBADC
doing parameter realm = RONA.LOC
doing parameter workgroup = RONA
doing parameter dns forwarder = 192.168.19.1
doing parameter server role = active directory domain controller
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter log level = 5
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth0 ip=192.168.19.2 bcast=192.168.19.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="SAMBADC"
Client started (version 4.5.8-Debian).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'RONA.LOC'
name sambadc.rona.loc#20 found.
Connecting to 192.168.19.2 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 2626560
        SO_RCVBUF = 1061808
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        Could not test socket option SO_SNDTIMEO.
        Could not test socket option SO_RCVTIMEO.
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/sambadc.rona.loc at RONA.LOC
Kinit for Administrator to access cifs/sambadc.rona.loc at RONA.LOC failed:
Preauthentication failed
SPNEGO login failed: Preauthentication failed
session setup failed: NT_STATUS_LOGON_FAILURE



--
С уважением, Владимир.

2017-08-11 8:39 GMT+07:00 Andrew Bartlett <abartlet at samba.org>:
> On Fri, 2017-08-11 at 08:13 +0700, Vladimir Frelikh via samba wrote:
> > Hi,
> > I've changed /etc/resolv.conf, rebooted, here is the output:
>
> It won't be that.  If samba has NT_STATUS_INTERNAL_ERROR inside the
> server, no change to the client will help.
>
> I suggest turning up the debug level until you get more detail.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>

Ok, a recap here..
 
I've done some extra testing. 
 
The output shown below, matches exact with a member server setup, ill show with
my tests
You wil see "wrong"  command, thats correct i'll explain in the
end.
( smbclient -u is wrong, smbclient -U is correct ) 

My tests. 
... i'll show the parts that are different. ( for these member servers ) 
 
a samba 4.5.8 original debian package
kinit Administrator
klist
smbclient -L //$(hostname -f) -d9 -k
Doing spnego session setup (blob length=96)
..... 
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/rtd-mem10.rotterdam.bazuin.nl at ROTTERDAM.BAZUIN.NL
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
Domain=[NTDOM] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian]
 

kdestroy
smbclient -L //$(hostname -f) -d9 -k
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous
failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the
caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR
 
 
 
smbclient -L //$(hostname -f) -d9 -uAdministrator
Typing the (correct) pass.   ( but -u is wrong so this reflex to NTDOM\root ) 
 
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
 

( changed -u to -U ) 
smbclient -L //$(hostname -f) -d9 -UAdministrator
(typeing the pass) 
 
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
Domain=[NTODOM] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian]
 
 
 
Now same on a 4.6.7 member the same steps. 
kinit Administrator
klist
smbclient -L //$(hostname -f) -d9 -k
 
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/rtd-mem10.internal.domain.tld at REALM
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
Domain=[NTDOM] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian]
 
kdestroy
smbclient -L //$(hostname -f) -d9 -k
 
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/member10.internal.domain.tld at REALM
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous
failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the
caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR
 
smbclient -L //$(hostname -f) -d9 -uAdministrator 
I now just hit enter, and dont type any password, and above with (wrong -u ) 
 session request ok
Enter BAZRTD\root's password:
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous
failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the
caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
Starting GENSEC submechanism ntlmssp
Got challenge flags:
>>>>> .. but  there is more now.. 
 
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
.........................
result ...   ** NOTICE1 
NTLMSSP Sign/Seal - using NTLM1
Anonymous login successful
OS=[Windows 6.1] Server=[Samba 4.6.7-Debian]
 session setup ok
 tconx ok
and a correct output. 
** NOTICE1
 
 
Now same on a samba 4.6.7 AD DC. ( dont have any 4.5.8 AD DC's so cant test
that atm, this is because i test in a production environment.)
kinit Administrator
klist
smbclient -L //$(hostname -f) -d9 -k
 

 session request ok
got OID=1.2.840.48018.1.2.2
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
OS=[Windows 6.1] Server=[Samba 4.6.7-Debian]
 

kdestroy 
smbclient -L //$(hostname -f) -d9 -uAdministrator
( again -u is wrong, reflexs to NTDOM\root )
( typing a wrong password ) 
 
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous
failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the
caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR
 
smbclient -L //$(hostname -f) -d9 -UAdministrator
( typing a correct password ) 
 session request ok
Enter NTDOM\Administrator's password:
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
OS=[Windows 6.1] Server=[Samba 4.6.7-Debian]
 

again 
smbclient -L //$(hostname -f) -d9 -UAdministrator
( typing a correct password ) 
 
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[MEMORY:cliconnect] failed with [ Miscellaneous
failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the
caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
 

is it me or, is the error output inconsistant. 
 
I use an incorrect parameter -u. this command should not run at all.  
it should error out with message unknown paramater. 
 
I use no password, then DOM\root changed to guest and it works. 
( see : ** NOTICE1 ) 
 
testparm -vs | grep guest
Load smb config files from /etc/samba/smb.conf
Processing section "[share]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
 
        usershare allow guests = No
        guest account = nobody
        map to guest = Never
        guest ok = No
        guest only = No

 

For Vladimer, the server shows. 
doing parameter server role = active directory domain controller
 
but the debug output does not show as an AD DC but member server output, at
least looks to me it is.
 
his log shows : 
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/sambadc.rona.loc at
RONA.LOC
 
Until this part, above, that only shows in my tests on the member servers. 
 
This is the remainin part of the error. 
 
Kinit for Administrator to access cifs/sambadc.rona.loc at RONA.LOC failed:
Preauthentication failed
SPNEGO login failed: Preauthentication failed
session setup failed: NT_STATUS_LOGON_FAILURE
 

SPN cifs/hostname.internal.domain.tld at REALM does not show up in my AD DC.
not in : 
klist -ke /var/lib/samba/private/secrets.keytab
klist -ke /var/lib/samba/private/dns.keytab
There is no /etc/krb5.keytab on the DC's. 
 
where is SPN cifs defined?  ( host/kernel? ) 
 
On the DC running:  
samba-tool spn list dc1$
does not show SPN/cifs
 
And same on the member. 
 
so it still looks its setup for AD DC, due to the provisioning. 
But somewhere in the backgroup there are member server settings. 
 
I suggest, since both are using new servers, stop samba, cleanup, provision
again.
systemctl stop samba-ad-dc
and to be sure :
systemctl stop samba smbd nmbd winbind
systemctl mask samba smbd nmbd winbind
systemctl disable samba smbd nmbd winbind
 
# Backup and cleanup. 
cd /var/lib/
cp -R samba{,.backup}
rm samba/*.tdb
 
cd /var/lib/samba
cp -R private{,.backup}
rm private/*.tdb
 
cd /var/cache/samba
rm *.dat
rm *.tdb
 
cp -R /etc/samba{,.backup}
rm /etc/samba/smb.conf
 
HERE YOUR PROVISIONING COMMAND. 
 
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc
 
REBOOT THE SERVER ! 
and check again. 

 
Above is the only left i can think off
I think, this might be due to 2 possible problems.
 
Problems with the database/old member settings/leftovers or kerberos problems
due to incorrect settings from start.
but i cant detect why i see a member output on the DC ( in his output ), the
setup base was wong, resulting in a strange problem.
 
 
Greetz, 
 
Louis
 

 

Hello,
here is the output of

smbclient -k -L //sambadc.rona.loc -d9 -UAdministrator%password

from /var/log/samba.log https://pastebin.com/KrMyL8qJ
maybe it seems to be more informative

--
С уважением, Владимир.

2017-08-11 8:39 GMT+07:00 Andrew Bartlett <abartlet at samba.org>:
> On Fri, 2017-08-11 at 08:13 +0700, Vladimir Frelikh via samba wrote:
> > Hi,
> > I've changed /etc/resolv.conf, rebooted, here is the output:
>
> It won't be that.  If samba has NT_STATUS_INTERNAL_ERROR inside the
> server, no change to the client will help.
>
> I suggest turning up the debug level until you get more detail.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>