[Samba] NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR

L.P.H. van Belle belle at bazuin.nl
Fri Aug 11 12:16:02 UTC 2017


Can you post the output of 

klist -ket /var/lib/samba/private/secrets.keytab 
And yes, its possible that after the copy some rights are wrong. 

My output, for the "none" root:root folders.

ls -al /var/lib/samba/ | egrep "dns|winbind|ntp|private|user|sysvol"
drwxr-x---   2 root ntp                       4096 Aug 10 11:46 ntp_signd
drwxr-xr-x   8 root root                      4096 Aug 11 14:11 private
drwxrwx---+  3 root BUILTIN\administrators    4096 Apr 28  2015 sysvol
drwxrwx--T   2 root sambashare                4096 May  6  2016 usershares
-rw-------   1 root root                    286720 Aug 11 14:11 winbindd_cache.tdb
drwxr-x---   2 root winbindd_priv             4096 Aug 10 11:46 winbindd_privileged

And 
ls -al /var/lib/samba/private/ | egrep "dns|sam"
drwxrwx--- 3 root bind    4096 Aug 11 13:06 dns
-rw-r----- 1 root bind     877 Apr 28  2015 dns.keytab
-rw------- 1 root root    2195 Apr 28  2015 dns_update_cache
-rw-r--r-- 1 root root    3183 Apr 28  2015 dns_update_list
-rw------- 1 root root 4247552 Jun  1  2015 sam.ldb
drwxr-x--- 2 root bind    4096 Aug 11 13:06 sam.ldb.d

Can you check these? 


@Vladimir, you dont have bind installed so your rights my differ a bit. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Ing. Luis Felipe Domínguez Vega 
> [mailto:luis.dominguez at mtz.desoft.cu] 
> Verzonden: vrijdag 11 augustus 2017 14:02
> Aan: L.P.H. van Belle; samba
> Onderwerp: Re: [Samba] NT_STATUS_INTERNAL_ERROR and cannot 
> join windows 7 samba4-ad-dc fresh install, get 
> NT_STATUS_INTERNAL_ERROR
> 
> This is with -d10, I test in Windows 10 (joining to domain) 
> and same error, "Internal error". One thing, I don't execute 
> the domain provision command because I put all the files 
> created in the old server into the new server, that's metter???
> 
> INFO: Current debug levels:
>   all: 10
>   tdb: 10
>   printdrivers: 10
>   lanman: 10
>   smb: 10
>   rpc_parse: 10
>   rpc_srv: 10
>   rpc_cli: 10
>   passdb: 10
>   sam: 10
>   auth: 10
>   winbind: 10
>   vfs: 10
>   idmap: 10
>   quota: 10
>   acls: 10
>   locking: 10
>   msdfs: 10
>   dmapi: 10
>   registry: 10
>   scavenger: 10
>   dns: 10
>   ldb: 10
>   tevent: 10
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows 
> limit (16384)
> INFO: Current debug levels:
>   all: 10
>   tdb: 10
>   printdrivers: 10
>   lanman: 10
>   smb: 10
>   rpc_parse: 10
>   rpc_srv: 10
>   rpc_cli: 10
>   passdb: 10
>   sam: 10
>   auth: 10
>   winbind: 10
>   vfs: 10
>   idmap: 10
>   quota: 10
>   acls: 10
>   locking: 10
>   msdfs: 10
>   dmapi: 10
>   registry: 10
>   scavenger: 10
>   dns: 10
>   ldb: 10
>   tevent: 10
> Processing section "[global]"
> doing parameter netbios name = DC
> doing parameter realm = MTZ.DESOFT.CU
> doing parameter server services = s3fs, rpc, nbt, wrepl, 
> ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate 
> doing parameter workgroup = MTZ doing parameter server role = 
> active directory domain controller doing parameter 
> idmap_ldb:use rfc2307 = yes doing parameter client ldap sasl 
> wrapping = sign doing parameter ldap server require strong 
> auth = No doing parameter full_audit:prefix = %u|%I|%S doing 
> parameter full_audit:failure = connect doing parameter 
> full_audit:success = connect disconnect opendir mkdir rmdir 
> closedir open close read pread write pwrite sendfile rename 
> unlink chmod fchmod chown fchown chdir ftruncate lock symlink 
> readlink link mknod realpath doing parameter 
> full_audit:facility = local5 doing parameter 
> full_audit:priority = notice doing parameter tls enabled = 
> yes doing parameter tls certfile = 
> /var/lib/samba/private/tls/dc-cert.pem
> doing parameter tls keyfile = 
> /var/lib/samba/private/tls/secure/dc-privkey.pem
> doing parameter tls cafile = /var/lib/samba/private/tls/cacert.pem
> doing parameter tls crlfile = 
> /var/lib/samba/private/tls/mtz.desoft.cu.crl
> doing parameter tls dhparams file = 
> /var/lib/samba/private/tls/dc-dhparams.pem
> doing parameter ntlm auth = yes
> doing parameter winbind max clients = 10000 doing parameter 
> min protocol = SMB2
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> added interface eth1 
> ip=fd2d:bba0:d4f9:4fb9:98fe:2ff:fe6b:adcb bcast= 
> netmask=ffff:ffff:ffff:ffff::
> added interface eth1 ip=10.11.0.1 bcast=10.11.0.255 
> netmask=255.255.255.0 added interface eth0 ip=192.168.0.1 
> bcast=192.168.0.255 netmask=255.255.255.0 Netbios name list:- 
> my_netbios_names[0]="DC"
> Client started (version 4.5.8-Debian).
> Opening cache file at /var/cache/samba/gencache.tdb Opening 
> cache file at /var/run/samba/gencache_notrans.tdb
> Adding cache entry with 
> key=[AD_SITENAME/DOMAIN/MTZ.DESOFT.CU] and timeout=[Thu Jan  
> 1 00:00:00 1970 UTC] (-1502452663 seconds in the past)
> sitename_fetch: No stored sitename for realm 'MTZ.DESOFT.CU'
> internal_resolve_name: looking up dc.mtz.desoft.cu#20 
> (sitename (null)) Adding cache entry with 
> key=[NBT/DC.MTZ.DESOFT.CU#20] and timeout=[Thu Jan  1 
> 00:00:00 1970 UTC] (-1502452663 seconds in the past) no entry 
> for dc.mtz.desoft.cu#20 found.
> resolve_hosts: Attempting host lookup for name dc.mtz.desoft.cu<0x20>
> remove_duplicate_addrs2: looking for duplicate address/port pairs
> namecache_store: storing 1 address for dc.mtz.desoft.cu#20: 
> 192.168.0.1 Adding cache entry with 
> key=[NBT/DC.MTZ.DESOFT.CU#20] and timeout=[Fri Aug 11 
> 12:08:43 2017 UTC] (660 seconds ahead)
> internal_resolve_name: returning 1 addresses: 192.168.0.1:0 
> Connecting to 192.168.0.1 at port 445 Socket options:
>         SO_KEEPALIVE = 0
>         SO_REUSEADDR = 0
>         SO_BROADCAST = 0
>         TCP_NODELAY = 1
>         TCP_KEEPCNT = 9
>         TCP_KEEPIDLE = 7200
>         TCP_KEEPINTVL = 75
>         IPTOS_LOWDELAY = 0
>         IPTOS_THROUGHPUT = 0
>         SO_REUSEPORT = 0
>         SO_SNDBUF = 2626560
>         SO_RCVBUF = 1061808
>         SO_SNDLOWAT = 1
>         SO_RCVLOWAT = 1
>         SO_SNDTIMEO = 0
>         SO_RCVTIMEO = 0
>         TCP_QUICKACK = 1
>         TCP_DEFER_ACCEPT = 0
>  session request ok
> Doing spnego session setup (blob length=96) got 
> OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got 
> OID=1.3.6.1.4.1.311.2.2.10 got 
> principal=not_defined_in_RFC4178 at please_ignore
> cli_session_setup_spnego: using target hostname not SPNEGO principal
> cli_session_setup_spnego: guessed server 
> principal=cifs/dc.mtz.desoft.cu at MTZ.DESOFT.CU
> GENSEC backend 'gssapi_spnego' registered GENSEC backend 
> 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' 
> registered GENSEC backend 'spnego' registered GENSEC backend 
> 'schannel' registered GENSEC backend 'naclrpc_as_system' 
> registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC 
> backend 'ntlmssp' registered GENSEC backend 
> 'ntlmssp_resume_ccache' registered GENSEC backend 
> 'http_basic' registered GENSEC backend 'http_ntlm' registered 
> GENSEC backend 'krb5' registered GENSEC backend 
> 'fake_gssapi_krb5' registered Starting GENSEC mechanism 
> spnego Starting GENSEC submechanism gse_krb5 
> gss_init_sec_context failed with [ The context has expired: Success]
> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: 
> NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit 
> request: NT_STATUS_INTERNAL_ERROR SPNEGO login failed: An 
> internal error occurred.
> session setup failed: NT_STATUS_INTERNAL_ERROR
> 
> 
> ----- Mensaje original -----
> De: "samba" <samba at lists.samba.org>
> Para: "samba" <samba at lists.samba.org>
> Enviados: Viernes, 11 de Agosto 2017 4:29:32
> Asunto: [Samba] NT_STATUS_INTERNAL_ERROR and cannot join 
> windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
> 
> Hai, 
> 
> We have 2 persons with exact the same problem.
> Based on the configs shown by both personsn (Vladimir and Ing. Luis).
> I dont see issues which should case this, so as Andrew 
> suggest, keep increasing the debug levels and post these. 
> Lets hope we see something here, im bit puzzled about this one.
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Rowland Penny via samba
> > Verzonden: donderdag 10 augustus 2017 22:43
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] NT_STATUS_INTERNAL_ERROR
> > 
> > On Thu, 10 Aug 2017 15:43:10 -0400 (CDT) Ing. Luis Felipe 
> > Domínguez Vega via samba <samba at lists.samba.org> wrote:
> > 
> > > Hello, a short history, I am using samba 4 with Debian 9 from the 
> > > repository, 2 days ago the server was broken, but I was 
> > copy all the 
> > > /var/lib/samba directory to a safe place, then I was 
> > installed a new 
> > > server with the same Debian and samba from repository, 
> and stopped 
> > > smbd, nmbd and winbind, unmask samba-ad-dc and finally 
> > copied all the 
> > > directory from the old server to the new server and started 
> > the samba, 
> > > all works fine, the bind is integrated with samba_dlz, 
> etc. But now 
> > > when i go to join a Windows 7 PC to the domain show an error with 
> > > "Internal Error". Inside the AD server i put this command
> > > 
> > 
> > Did you use exactly the same FQDN and ipaddress for the new 
> computer ?
> > 
> > > 
> > >  tls enabled       = yes
> > >  tls certfile      = /var/lib/samba/private/tls/dc-cert.pem
> > >  tls keyfile       = 
> > /var/lib/samba/private/tls/secure/dc-privkey.pem
> > >  tls cafile        = /var/lib/samba/private/tls/cacert.pem
> > >  tls crlfile       = /var/lib/samba/private/tls/mtz.desoft.cu.crl
> > >  tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem
> > > 
> > 
> > You could try recreating the cert files.
> > 
> > Rowland
> > 
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> -- 
> Luis Felipe Dominguez Vega 
> System Administration in Desoft Matanzas | Mob: [ 
> tel:+5353694785 | +5353694785 ] | [ http://www.desoft.cu/ | 
> www.desoft.cu ] 
> [ https://www.facebook.com/lfdominguez0104 |    ] [ 
> https://www.linkedin.com/in/luis-felipe-dom%C3%ADnguez-vega-47
> 725794/ |    ] [ https://twitter.com/LuisFelipeDV1 |    ]
> 
> 




More information about the samba mailing list