samba - Oct 2017 - NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

yes, this should work fine but this is something in your setup.
can you try this


kinit Administrator
net 
 ads join -k -s fqdn-dc1.dom.tld


if kinit fails, then Rowland wil find your error..  
ive seen this few times.. -S  solves it most of the times.




Greetz,


Louis
(mobile)





Op 16 okt. 2017 om 18:27 heeft Rowland Penny via samba <samba at
lists.samba.org> het volgende geschreven:


On Mon, 16 Oct 2017 17:01:29 +0100
Richard Connon via samba <samba at lists.samba.org> wrote:

To try and narrow down this issue I tried to setup a test environment 
using two fresh install Debian 9.2 VMs, now running samba 4.5.12
since it was updated in Debian.

I provisioned a new domain using `samba-tool domain provision` on the 
first VM, let it generate the smb.conf itself, and configured it
using the BIND9_DLZ DNS backend.

I tried to join the domain using a second Debian 9.2 VM using `net
ads join -UAdministrator` after setting the DNS resolver to be the
test DC and synchronising with NTP on the DC. This failed with the
error:

"Failed to join domain: failed to lookup DC info for domain 
'ADS.TEST.LOCAL' over rpc: An internal error occurred."

Finally, I tried to connect to RPC on the DC using `rpcclient` which 
failed, as before, with NT_STATUS_INTERNAL_ERROR.

Is there some inherent problem with the Debian packages and the RPC 
server component of the DC? Alternatively, is there somewhere else I 
should be looking for the root cause of this?


This isn't a known problem with the debian packages, it should work.

Can you post the provision command you used on the DC.

I know you posted the smb.conf from a DC before, but can you post it
again.

Can you post the following files:
/etc/resolv.conf
/etc/hostname
/etc/hosts
/etc/krb5.conf

From both the DC and the domain member

The named.conf files from the DC

and finally the smb.conf from the domain member.

Rowland




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hi,

I provided the dump of all the conf files to Rowland by email but in 
case anyone else is curious they are also here:

http://www.irconan.co.uk/dc.tar http://www.irconan.co.uk/member.tar

I tried providing -S to the join command which didn't change the 
behaviour. It doesn't seem to have trouble finding the DC, only when 
connecting to the RPC server.

Cheers,

Richard


On 16/10/2017 18:13, L.P.H. van Belle via samba wrote:
> yes, this should work fine but this is something in your setup.
> can you try this
>
>
> kinit Administrator
> net
>   ads join -k -s fqdn-dc1.dom.tld
>
>
> if kinit fails, then Rowland wil find your error..
> ive seen this few times.. -S  solves it most of the times.
>
>
>
>
> Greetz,
>
>
> Louis
> (mobile)
>
>
>
>
>
> Op 16 okt. 2017 om 18:27 heeft Rowland Penny via samba <samba at
lists.samba.org> het volgende geschreven:
>
>
> On Mon, 16 Oct 2017 17:01:29 +0100
> Richard Connon via samba <samba at lists.samba.org> wrote:
>
> To try and narrow down this issue I tried to setup a test environment
> using two fresh install Debian 9.2 VMs, now running samba 4.5.12
> since it was updated in Debian.
>
> I provisioned a new domain using `samba-tool domain provision` on the
> first VM, let it generate the smb.conf itself, and configured it
> using the BIND9_DLZ DNS backend.
>
> I tried to join the domain using a second Debian 9.2 VM using `net
> ads join -UAdministrator` after setting the DNS resolver to be the
> test DC and synchronising with NTP on the DC. This failed with the
> error:
>
> "Failed to join domain: failed to lookup DC info for domain
> 'ADS.TEST.LOCAL' over rpc: An internal error occurred."
>
> Finally, I tried to connect to RPC on the DC using `rpcclient` which
> failed, as before, with NT_STATUS_INTERNAL_ERROR.
>
> Is there some inherent problem with the Debian packages and the RPC
> server component of the DC? Alternatively, is there somewhere else I
> should be looking for the root cause of this?
>
>
> This isn't a known problem with the debian packages, it should work.
>
> Can you post the provision command you used on the DC.
>
> I know you posted the smb.conf from a DC before, but can you post it
> again.
>
> Can you post the following files:
> /etc/resolv.conf
> /etc/hostname
> /etc/hosts
> /etc/krb5.conf
>
>  From both the DC and the domain member
>
> The named.conf files from the DC
>
> and finally the smb.conf from the domain member.
>
> Rowland
>
>
>
>

On Mon, 16 Oct 2017 19:06:20 +0100
Richard Connon via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I provided the dump of all the conf files to Rowland by email but in 
> case anyone else is curious they are also here:
> 
> http://www.irconan.co.uk/dc.tar http://www.irconan.co.uk/member.tar
> 
I didn't get it, so I downloaded it ;-)

Is the member server using DHCP ?

Is '10.0.2.15' the ipaddress of the DC ?

You haven't got 'security = ADS' in your smb.conf.

You have 'unix password sync = yes' in smb.conf,
Do you have Unix users that are also in AD ?

And finally the biggy, are you using sssd ?

Rowland