samba - Aug 2017 - cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

Hello, sorry for the delay,
kinit goes fine, here is the output of
klist :

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at RONA.LOC

Valid starting       Expires              Service principal
15.08.2017 13:36:07  15.08.2017 23:36:07  krbtgt/RONA.LOC at RONA.LOC
        renew until 16.08.2017 13:36:03
------
here's the output of
smbclient -k -L //sambadc.rona.loc -d9 -UAdministrator%password :

INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
  tevent: 9
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
  tevent: 9
Processing section "[global]"
doing parameter netbios name = SAMBADC
doing parameter realm = RONA.LOC
doing parameter workgroup = RONA
doing parameter dns forwarder = 192.168.19.1
doing parameter server role = active directory domain controller
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter log level = 5
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth0 ip=192.168.19.2 bcast=192.168.19.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="SAMBADC"
Client started (version 4.5.8-Debian).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'RONA.LOC'
name sambadc.rona.loc#20 found.
Connecting to 192.168.19.2 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 2626560
        SO_RCVBUF = 1061808
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        Could not test socket option SO_SNDTIMEO.
        Could not test socket option SO_RCVTIMEO.
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/sambadc.rona.loc at RONA.LOC
Kinit for Administrator to access cifs/sambadc.rona.loc at RONA.LOC failed:
Preauthentication failed
SPNEGO login failed: Preauthentication failed
session setup failed: NT_STATUS_LOGON_FAILURE



--
С уважением, Владимир.

2017-08-11 8:39 GMT+07:00 Andrew Bartlett <abartlet at samba.org>:
> On Fri, 2017-08-11 at 08:13 +0700, Vladimir Frelikh via samba wrote:
> > Hi,
> > I've changed /etc/resolv.conf, rebooted, here is the output:
>
> It won't be that.  If samba has NT_STATUS_INTERNAL_ERROR inside the
> server, no change to the client will help.
>
> I suggest turning up the debug level until you get more detail.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>

On Tue, 15 Aug 2017 13:40:15 +0700
Vladimir Frelikh via samba <samba at lists.samba.org> wrote:
> Hello, sorry for the delay,
> kinit goes fine, here is the output of
> klist :
> 
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at RONA.LOC
> 
> Valid starting       Expires              Service principal
> 15.08.2017 13:36:07  15.08.2017 23:36:07  krbtgt/RONA.LOC at RONA.LOC
>         renew until 16.08.2017 13:36:03
> ------
> here's the output of
> smbclient -k -L //sambadc.rona.loc -d9 -UAdministrator%password :
> 
> INFO: Current debug levels:
>   all: 9
>   tdb: 9
>   printdrivers: 9
>   lanman: 9
>   smb: 9
>   rpc_parse: 9
>   rpc_srv: 9
>   rpc_cli: 9
>   passdb: 9
>   sam: 9
>   auth: 9
>   winbind: 9
>   vfs: 9
>   idmap: 9
>   quota: 9
>   acls: 9
>   locking: 9
>   msdfs: 9
>   dmapi: 9
>   registry: 9
>   scavenger: 9
>   dns: 9
>   ldb: 9
>   tevent: 9
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) INFO: Current debug levels:
>   all: 9
>   tdb: 9
>   printdrivers: 9
>   lanman: 9
>   smb: 9
>   rpc_parse: 9
>   rpc_srv: 9
>   rpc_cli: 9
>   passdb: 9
>   sam: 9
>   auth: 9
>   winbind: 9
>   vfs: 9
>   idmap: 9
>   quota: 9
>   acls: 9
>   locking: 9
>   msdfs: 9
>   dmapi: 9
>   registry: 9
>   scavenger: 9
>   dns: 9
>   ldb: 9
>   tevent: 9
> Processing section "[global]"
> doing parameter netbios name = SAMBADC
> doing parameter realm = RONA.LOC
> doing parameter workgroup = RONA
> doing parameter dns forwarder = 192.168.19.1
> doing parameter server role = active directory domain controller
> doing parameter idmap_ldb:use rfc2307 = yes
> doing parameter log level = 5
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> added interface eth0 ip=192.168.19.2 bcast=192.168.19.255
> netmask=255.255.255.0
> Netbios name list:-
> my_netbios_names[0]="SAMBADC"
> Client started (version 4.5.8-Debian).
> Opening cache file at /var/cache/samba/gencache.tdb
> Opening cache file at /var/run/samba/gencache_notrans.tdb
> sitename_fetch: No stored sitename for realm 'RONA.LOC'
> name sambadc.rona.loc#20 found.
> Connecting to 192.168.19.2 at port 445
> Socket options:
>         SO_KEEPALIVE = 0
>         SO_REUSEADDR = 0
>         SO_BROADCAST = 0
>         TCP_NODELAY = 1
>         TCP_KEEPCNT = 9
>         TCP_KEEPIDLE = 7200
>         TCP_KEEPINTVL = 75
>         IPTOS_LOWDELAY = 0
>         IPTOS_THROUGHPUT = 0
>         SO_REUSEPORT = 0
>         SO_SNDBUF = 2626560
>         SO_RCVBUF = 1061808
>         SO_SNDLOWAT = 1
>         SO_RCVLOWAT = 1
>         Could not test socket option SO_SNDTIMEO.
>         Could not test socket option SO_RCVTIMEO.
>         TCP_QUICKACK = 1
>         TCP_DEFER_ACCEPT = 0
>  session request ok
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> cli_session_setup_spnego: using target hostname not SPNEGO principal
> cli_session_setup_spnego: guessed server
> principal=cifs/sambadc.rona.loc at RONA.LOC
> Kinit for Administrator to access cifs/sambadc.rona.loc at RONA.LOC
> failed: Preauthentication failed
> SPNEGO login failed: Preauthentication failed
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
> 
> 
can you run 'pam-auth-update' in a terminal and then post what PAM
profiles are enabled ?

Rowland

Hello, here's the output of
pam-auth-update :

Unix authentication
Register user sessions in the systemd control group hierarchy
Inheritable Capabilities Management

--
С уважением, Владимир.

2017-08-15 15:16 GMT+07:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Tue, 15 Aug 2017 13:40:15 +0700
> Vladimir Frelikh via samba <samba at lists.samba.org> wrote:
>
> > Hello, sorry for the delay,
> > kinit goes fine, here is the output of
> > klist :
> >
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: administrator at RONA.LOC
> >
> > Valid starting       Expires              Service principal
> > 15.08.2017 13:36:07  15.08.2017 23:36:07  krbtgt/RONA.LOC at RONA.LOC
> >         renew until 16.08.2017 13:36:03
> > ------
> > here's the output of
> > smbclient -k -L //sambadc.rona.loc -d9 -UAdministrator%password :
> >
> > INFO: Current debug levels:
> >   all: 9
> >   tdb: 9
> >   printdrivers: 9
> >   lanman: 9
> >   smb: 9
> >   rpc_parse: 9
> >   rpc_srv: 9
> >   rpc_cli: 9
> >   passdb: 9
> >   sam: 9
> >   auth: 9
> >   winbind: 9
> >   vfs: 9
> >   idmap: 9
> >   quota: 9
> >   acls: 9
> >   locking: 9
> >   msdfs: 9
> >   dmapi: 9
> >   registry: 9
> >   scavenger: 9
> >   dns: 9
> >   ldb: 9
> >   tevent: 9
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > (16384) INFO: Current debug levels:
> >   all: 9
> >   tdb: 9
> >   printdrivers: 9
> >   lanman: 9
> >   smb: 9
> >   rpc_parse: 9
> >   rpc_srv: 9
> >   rpc_cli: 9
> >   passdb: 9
> >   sam: 9
> >   auth: 9
> >   winbind: 9
> >   vfs: 9
> >   idmap: 9
> >   quota: 9
> >   acls: 9
> >   locking: 9
> >   msdfs: 9
> >   dmapi: 9
> >   registry: 9
> >   scavenger: 9
> >   dns: 9
> >   ldb: 9
> >   tevent: 9
> > Processing section "[global]"
> > doing parameter netbios name = SAMBADC
> > doing parameter realm = RONA.LOC
> > doing parameter workgroup = RONA
> > doing parameter dns forwarder = 192.168.19.1
> > doing parameter server role = active directory domain controller
> > doing parameter idmap_ldb:use rfc2307 = yes
> > doing parameter log level = 5
> > pm_process() returned Yes
> > lp_servicenumber: couldn't find homes
> > added interface eth0 ip=192.168.19.2 bcast=192.168.19.255
> > netmask=255.255.255.0
> > Netbios name list:-
> > my_netbios_names[0]="SAMBADC"
> > Client started (version 4.5.8-Debian).
> > Opening cache file at /var/cache/samba/gencache.tdb
> > Opening cache file at /var/run/samba/gencache_notrans.tdb
> > sitename_fetch: No stored sitename for realm 'RONA.LOC'
> > name sambadc.rona.loc#20 found.
> > Connecting to 192.168.19.2 at port 445
> > Socket options:
> >         SO_KEEPALIVE = 0
> >         SO_REUSEADDR = 0
> >         SO_BROADCAST = 0
> >         TCP_NODELAY = 1
> >         TCP_KEEPCNT = 9
> >         TCP_KEEPIDLE = 7200
> >         TCP_KEEPINTVL = 75
> >         IPTOS_LOWDELAY = 0
> >         IPTOS_THROUGHPUT = 0
> >         SO_REUSEPORT = 0
> >         SO_SNDBUF = 2626560
> >         SO_RCVBUF = 1061808
> >         SO_SNDLOWAT = 1
> >         SO_RCVLOWAT = 1
> >         Could not test socket option SO_SNDTIMEO.
> >         Could not test socket option SO_RCVTIMEO.
> >         TCP_QUICKACK = 1
> >         TCP_DEFER_ACCEPT = 0
> >  session request ok
> > Doing spnego session setup (blob length=96)
> > got OID=1.2.840.48018.1.2.2
> > got OID=1.2.840.113554.1.2.2
> > got OID=1.3.6.1.4.1.311.2.2.10
> > got principal=not_defined_in_RFC4178 at please_ignore
> > cli_session_setup_spnego: using target hostname not SPNEGO principal
> > cli_session_setup_spnego: guessed server
> > principal=cifs/sambadc.rona.loc at RONA.LOC
> > Kinit for Administrator to access cifs/sambadc.rona.loc at RONA.LOC
> > failed: Preauthentication failed
> > SPNEGO login failed: Preauthentication failed
> > session setup failed: NT_STATUS_LOGON_FAILURE
> >
> >
> >
>
> can you run 'pam-auth-update' in a terminal and then post what PAM
> profiles are enabled ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>