samba - Oct 2017 - NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

On Mon, 16 Oct 2017 17:01:29 +0100
Richard Connon via samba <samba at lists.samba.org> wrote:
> To try and narrow down this issue I tried to setup a test environment 
> using two fresh install Debian 9.2 VMs, now running samba 4.5.12
> since it was updated in Debian.
> 
> I provisioned a new domain using `samba-tool domain provision` on the 
> first VM, let it generate the smb.conf itself, and configured it
> using the BIND9_DLZ DNS backend.
> 
> I tried to join the domain using a second Debian 9.2 VM using `net
> ads join -UAdministrator` after setting the DNS resolver to be the
> test DC and synchronising with NTP on the DC. This failed with the
> error:
> 
> "Failed to join domain: failed to lookup DC info for domain 
> 'ADS.TEST.LOCAL' over rpc: An internal error occurred."
> 
> Finally, I tried to connect to RPC on the DC using `rpcclient` which 
> failed, as before, with NT_STATUS_INTERNAL_ERROR.
> 
> Is there some inherent problem with the Debian packages and the RPC 
> server component of the DC? Alternatively, is there somewhere else I 
> should be looking for the root cause of this?
> 
This isn't a known problem with the debian packages, it should work.

Can you post the provision command you used on the DC.

I know you posted the smb.conf from a DC before, but can you post it
again.

Can you post the following files:
/etc/resolv.conf
/etc/hostname
/etc/hosts
/etc/krb5.conf

From both the DC and the domain member

The named.conf files from the DC

and finally the smb.conf from the domain member.

Rowland

Hi,

I've attached tarballs with the requested files for each of my test DC 
and member.

The domain was provisioned with the exact command: `samba-tool domain 
provision` selecting BIND9_DLZ and specifying the realm and workgroup as 
seen in the smb.conf files.

Regards,

Richard


On 16/10/2017 17:26, Rowland Penny via samba wrote:
> On Mon, 16 Oct 2017 17:01:29 +0100
> Richard Connon via samba <samba at lists.samba.org> wrote:
>
>> To try and narrow down this issue I tried to setup a test environment
>> using two fresh install Debian 9.2 VMs, now running samba 4.5.12
>> since it was updated in Debian.
>>
>> I provisioned a new domain using `samba-tool domain provision` on the
>> first VM, let it generate the smb.conf itself, and configured it
>> using the BIND9_DLZ DNS backend.
>>
>> I tried to join the domain using a second Debian 9.2 VM using `net
>> ads join -UAdministrator` after setting the DNS resolver to be the
>> test DC and synchronising with NTP on the DC. This failed with the
>> error:
>>
>> "Failed to join domain: failed to lookup DC info for domain
>> 'ADS.TEST.LOCAL' over rpc: An internal error occurred."
>>
>> Finally, I tried to connect to RPC on the DC using `rpcclient` which
>> failed, as before, with NT_STATUS_INTERNAL_ERROR.
>>
>> Is there some inherent problem with the Debian packages and the RPC
>> server component of the DC? Alternatively, is there somewhere else I
>> should be looking for the root cause of this?
>>
> This isn't a known problem with the debian packages, it should work.
>
> Can you post the provision command you used on the DC.
>
> I know you posted the smb.conf from a DC before, but can you post it
> again.
>
> Can you post the following files:
> /etc/resolv.conf
> /etc/hostname
> /etc/hosts
> /etc/krb5.conf
>
>  From both the DC and the domain member
>
> The named.conf files from the DC
>
> and finally the smb.conf from the domain member.
>
> Rowland
>
>
>
>

On Mon, 16 Oct 2017 17:58:04 +0100
Richard Connon via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I've attached tarballs with the requested files for each of my test
> DC and member.
> 
> The domain was provisioned with the exact command: `samba-tool domain 
> provision` selecting BIND9_DLZ and specifying the realm and workgroup
> as seen in the smb.conf files.
> 
> Regards,
> 
> Richard
> 
> 
> On 16/10/2017 17:26, Rowland Penny via samba wrote:
> > On Mon, 16 Oct 2017 17:01:29 +0100
> > Richard Connon via samba <samba at lists.samba.org> wrote:
> >
> >> To try and narrow down this issue I tried to setup a test
> >> environment using two fresh install Debian 9.2 VMs, now running
> >> samba 4.5.12 since it was updated in Debian.
> >>
> >> I provisioned a new domain using `samba-tool domain provision` on
> >> the first VM, let it generate the smb.conf itself, and configured
> >> it using the BIND9_DLZ DNS backend.
> >>
> >> I tried to join the domain using a second Debian 9.2 VM using `net
> >> ads join -UAdministrator` after setting the DNS resolver to be the
> >> test DC and synchronising with NTP on the DC. This failed with the
> >> error:
> >>
> >> "Failed to join domain: failed to lookup DC info for domain
> >> 'ADS.TEST.LOCAL' over rpc: An internal error
occurred."
> >>
> >> Finally, I tried to connect to RPC on the DC using `rpcclient`
> >> which failed, as before, with NT_STATUS_INTERNAL_ERROR.
> >>
> >> Is there some inherent problem with the Debian packages and the
RPC
> >> server component of the DC? Alternatively, is there somewhere else
> >> I should be looking for the root cause of this?
> >>
> > This isn't a known problem with the debian packages, it should
work.
> >
> > Can you post the provision command you used on the DC.
> >
> > I know you posted the smb.conf from a DC before, but can you post it
> > again.
> >
> > Can you post the following files:
> > /etc/resolv.conf
> > /etc/hostname
> > /etc/hosts
> > /etc/krb5.conf
> >
> >  From both the DC and the domain member
> >
> > The named.conf files from the DC
> >
> > and finally the smb.conf from the domain member.
> >
> > Rowland
> >
> >
> >
> >
> 
The mailing list has stripped of the attachments, do you want to send
them directly to me ?

Rowland

On Mon, 16 Oct 2017 18:56:18 +0100
Richard Connon <richard at connon.me.uk> wrote:
> Re-attached.
You are missing:

tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

From /etc/bind/named.conf.options

Rowland