Fred F
2018-Feb-02 20:35 UTC
[Samba] Fwd: Samba AD DC not working properly within Docker [NT_STATUS_INTERNAL_ERROR]
Hi,
I am isolating many server services through Docker. I am using the
macvlan driver for this with a dedicated Docker server VLAN. I have
provisioned a new Samba AD domain in a docker container, the required
services are running but SMB clients cannot connect (RPC error).
First of all, these are the Samba versions I have tried:
- Samba 4.5.12 with Debian stable
- Samba 4.7.4 with Debian testing
I have Kerberos working (even from the outside network) and DNS is
working as well. But whenever I try to list the DC's shares with
smbclient I am getting an error. This even applies inside the Docker
container for the AD DC, so the issue is not related to a wrong
networking configuration or port mapping (which does not apply to
macvlan anyway).
This is how this can be reproduced within a docker container:
docker pull jgoerzen/debian-base-security
docker run -d --privileged --name samba-ad-dc-test --hostname
sambatest --network vlan_server jgoerzen/debian-base-security
docker exec -i -t samba-ad-dc-test /bin/bash
// Note: The issue is not related to "macvlan". It also happens with
Docker's default "bridge" network
# apt-get update && apt-get install -y samba smbclient
# samba-tool domain provision --use-rfc2307 --domain=TEST --realm=test.lan
# service samba start
-> Now the Samba DC is actually up and running. When using 127.0.0.1
as a name server within the container even all SRV records are in
place and Kerberos is working (even from outside). Now the issue is
that smbclient is not working, not even within the container. I cannot
get any debug output from running "samba" in interactive mode, but
this is what smbclient gives me:
root at sambatest:~# smbclient -L localhost -U% -d5
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
Processing section "[global]"
doing parameter netbios name = SAMBATEST
doing parameter realm = TEST.LAN
doing parameter workgroup = TEST
doing parameter dns forwarder = 127.0.0.11
doing parameter server role = active directory domain controller
doing parameter idmap_ldb:use rfc2307 = yes
pm_process() returned Yes
added interface eth0 ip=192.168.200.33 bcast=192.168.200.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="SAMBATEST"
Client started (version 4.5.12-Debian).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'TEST.LAN'
name localhost#20 found.
Connecting to 127.0.0.1 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 1061808
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62008a15
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_ANONYMOUS
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62008a15
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_ANONYMOUS
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - using NTLM1
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR
Any ideas?
Thanks,
Fred
Seemingly Similar Threads
- Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD
- Errors "Domain password server not available" and "SPNEGO login failed: The request is not supported"
- slow smbclient samba 4.7.x
- Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD
- Samba v3 works with LDAP, but not Samba v4
Wisdom of the Ancients
