Fred F
2018-Feb-02 20:35 UTC
[Samba] Fwd: Samba AD DC not working properly within Docker [NT_STATUS_INTERNAL_ERROR]
Hi, I am isolating many server services through Docker. I am using the macvlan driver for this with a dedicated Docker server VLAN. I have provisioned a new Samba AD domain in a docker container, the required services are running but SMB clients cannot connect (RPC error). First of all, these are the Samba versions I have tried: - Samba 4.5.12 with Debian stable - Samba 4.7.4 with Debian testing I have Kerberos working (even from the outside network) and DNS is working as well. But whenever I try to list the DC's shares with smbclient I am getting an error. This even applies inside the Docker container for the AD DC, so the issue is not related to a wrong networking configuration or port mapping (which does not apply to macvlan anyway). This is how this can be reproduced within a docker container: docker pull jgoerzen/debian-base-security docker run -d --privileged --name samba-ad-dc-test --hostname sambatest --network vlan_server jgoerzen/debian-base-security docker exec -i -t samba-ad-dc-test /bin/bash // Note: The issue is not related to "macvlan". It also happens with Docker's default "bridge" network # apt-get update && apt-get install -y samba smbclient # samba-tool domain provision --use-rfc2307 --domain=TEST --realm=test.lan # service samba start -> Now the Samba DC is actually up and running. When using 127.0.0.1 as a name server within the container even all SRV records are in place and Kerberos is working (even from outside). Now the issue is that smbclient is not working, not even within the container. I cannot get any debug output from running "samba" in interactive mode, but this is what smbclient gives me: root at sambatest:~# smbclient -L localhost -U% -d5 INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 lp_load_ex: refreshing parameters Initialising global parameters INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 Processing section "[global]" doing parameter netbios name = SAMBATEST doing parameter realm = TEST.LAN doing parameter workgroup = TEST doing parameter dns forwarder = 127.0.0.11 doing parameter server role = active directory domain controller doing parameter idmap_ldb:use rfc2307 = yes pm_process() returned Yes added interface eth0 ip=192.168.200.33 bcast=192.168.200.255 netmask=255.255.255.0 Netbios name list:- my_netbios_names[0]="SAMBATEST" Client started (version 4.5.12-Debian). Opening cache file at /var/cache/samba/gencache.tdb Opening cache file at /var/run/samba/gencache_notrans.tdb sitename_fetch: No stored sitename for realm 'TEST.LAN' name localhost#20 found. Connecting to 127.0.0.1 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 2626560 SO_RCVBUF = 1061808 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 session request ok Doing spnego session setup (blob length=96) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62008a15 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_ANONYMOUS NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62008a15 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_ANONYMOUS NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - using NTLM1 SPNEGO login failed: An internal error occurred. session setup failed: NT_STATUS_INTERNAL_ERROR Any ideas? Thanks, Fred
Possibly Parallel Threads
- Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD
- Errors "Domain password server not available" and "SPNEGO login failed: The request is not supported"
- slow smbclient samba 4.7.x
- Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD
- Samba v3 works with LDAP, but not Samba v4