[Samba] NT_STATUS_INTERNAL_ERROR and cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
L.P.H. van Belle
belle at bazuin.nl
Fri Aug 11 12:16:02 UTC 2017
Can you post the output of
klist -ket /var/lib/samba/private/secrets.keytab
And yes, its possible that after the copy some rights are wrong.
My output, for the "none" root:root folders.
ls -al /var/lib/samba/ | egrep "dns|winbind|ntp|private|user|sysvol"
drwxr-x--- 2 root ntp 4096 Aug 10 11:46 ntp_signd
drwxr-xr-x 8 root root 4096 Aug 11 14:11 private
drwxrwx---+ 3 root BUILTIN\administrators 4096 Apr 28 2015 sysvol
drwxrwx--T 2 root sambashare 4096 May 6 2016 usershares
-rw------- 1 root root 286720 Aug 11 14:11 winbindd_cache.tdb
drwxr-x--- 2 root winbindd_priv 4096 Aug 10 11:46 winbindd_privileged
And
ls -al /var/lib/samba/private/ | egrep "dns|sam"
drwxrwx--- 3 root bind 4096 Aug 11 13:06 dns
-rw-r----- 1 root bind 877 Apr 28 2015 dns.keytab
-rw------- 1 root root 2195 Apr 28 2015 dns_update_cache
-rw-r--r-- 1 root root 3183 Apr 28 2015 dns_update_list
-rw------- 1 root root 4247552 Jun 1 2015 sam.ldb
drwxr-x--- 2 root bind 4096 Aug 11 13:06 sam.ldb.d
Can you check these?
@Vladimir, you dont have bind installed so your rights my differ a bit.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Ing. Luis Felipe DomÃnguez Vega
> [mailto:luis.dominguez at mtz.desoft.cu]
> Verzonden: vrijdag 11 augustus 2017 14:02
> Aan: L.P.H. van Belle; samba
> Onderwerp: Re: [Samba] NT_STATUS_INTERNAL_ERROR and cannot
> join windows 7 samba4-ad-dc fresh install, get
> NT_STATUS_INTERNAL_ERROR
>
> This is with -d10, I test in Windows 10 (joining to domain)
> and same error, "Internal error". One thing, I don't execute
> the domain provision command because I put all the files
> created in the old server into the new server, that's metter???
>
> INFO: Current debug levels:
> all: 10
> tdb: 10
> printdrivers: 10
> lanman: 10
> smb: 10
> rpc_parse: 10
> rpc_srv: 10
> rpc_cli: 10
> passdb: 10
> sam: 10
> auth: 10
> winbind: 10
> vfs: 10
> idmap: 10
> quota: 10
> acls: 10
> locking: 10
> msdfs: 10
> dmapi: 10
> registry: 10
> scavenger: 10
> dns: 10
> ldb: 10
> tevent: 10
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows
> limit (16384)
> INFO: Current debug levels:
> all: 10
> tdb: 10
> printdrivers: 10
> lanman: 10
> smb: 10
> rpc_parse: 10
> rpc_srv: 10
> rpc_cli: 10
> passdb: 10
> sam: 10
> auth: 10
> winbind: 10
> vfs: 10
> idmap: 10
> quota: 10
> acls: 10
> locking: 10
> msdfs: 10
> dmapi: 10
> registry: 10
> scavenger: 10
> dns: 10
> ldb: 10
> tevent: 10
> Processing section "[global]"
> doing parameter netbios name = DC
> doing parameter realm = MTZ.DESOFT.CU
> doing parameter server services = s3fs, rpc, nbt, wrepl,
> ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> doing parameter workgroup = MTZ doing parameter server role =
> active directory domain controller doing parameter
> idmap_ldb:use rfc2307 = yes doing parameter client ldap sasl
> wrapping = sign doing parameter ldap server require strong
> auth = No doing parameter full_audit:prefix = %u|%I|%S doing
> parameter full_audit:failure = connect doing parameter
> full_audit:success = connect disconnect opendir mkdir rmdir
> closedir open close read pread write pwrite sendfile rename
> unlink chmod fchmod chown fchown chdir ftruncate lock symlink
> readlink link mknod realpath doing parameter
> full_audit:facility = local5 doing parameter
> full_audit:priority = notice doing parameter tls enabled =
> yes doing parameter tls certfile =
> /var/lib/samba/private/tls/dc-cert.pem
> doing parameter tls keyfile =
> /var/lib/samba/private/tls/secure/dc-privkey.pem
> doing parameter tls cafile = /var/lib/samba/private/tls/cacert.pem
> doing parameter tls crlfile =
> /var/lib/samba/private/tls/mtz.desoft.cu.crl
> doing parameter tls dhparams file =
> /var/lib/samba/private/tls/dc-dhparams.pem
> doing parameter ntlm auth = yes
> doing parameter winbind max clients = 10000 doing parameter
> min protocol = SMB2
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> added interface eth1
> ip=fd2d:bba0:d4f9:4fb9:98fe:2ff:fe6b:adcb bcast=
> netmask=ffff:ffff:ffff:ffff::
> added interface eth1 ip=10.11.0.1 bcast=10.11.0.255
> netmask=255.255.255.0 added interface eth0 ip=192.168.0.1
> bcast=192.168.0.255 netmask=255.255.255.0 Netbios name list:-
> my_netbios_names[0]="DC"
> Client started (version 4.5.8-Debian).
> Opening cache file at /var/cache/samba/gencache.tdb Opening
> cache file at /var/run/samba/gencache_notrans.tdb
> Adding cache entry with
> key=[AD_SITENAME/DOMAIN/MTZ.DESOFT.CU] and timeout=[Thu Jan
> 1 00:00:00 1970 UTC] (-1502452663 seconds in the past)
> sitename_fetch: No stored sitename for realm 'MTZ.DESOFT.CU'
> internal_resolve_name: looking up dc.mtz.desoft.cu#20
> (sitename (null)) Adding cache entry with
> key=[NBT/DC.MTZ.DESOFT.CU#20] and timeout=[Thu Jan 1
> 00:00:00 1970 UTC] (-1502452663 seconds in the past) no entry
> for dc.mtz.desoft.cu#20 found.
> resolve_hosts: Attempting host lookup for name dc.mtz.desoft.cu<0x20>
> remove_duplicate_addrs2: looking for duplicate address/port pairs
> namecache_store: storing 1 address for dc.mtz.desoft.cu#20:
> 192.168.0.1 Adding cache entry with
> key=[NBT/DC.MTZ.DESOFT.CU#20] and timeout=[Fri Aug 11
> 12:08:43 2017 UTC] (660 seconds ahead)
> internal_resolve_name: returning 1 addresses: 192.168.0.1:0
> Connecting to 192.168.0.1 at port 445 Socket options:
> SO_KEEPALIVE = 0
> SO_REUSEADDR = 0
> SO_BROADCAST = 0
> TCP_NODELAY = 1
> TCP_KEEPCNT = 9
> TCP_KEEPIDLE = 7200
> TCP_KEEPINTVL = 75
> IPTOS_LOWDELAY = 0
> IPTOS_THROUGHPUT = 0
> SO_REUSEPORT = 0
> SO_SNDBUF = 2626560
> SO_RCVBUF = 1061808
> SO_SNDLOWAT = 1
> SO_RCVLOWAT = 1
> SO_SNDTIMEO = 0
> SO_RCVTIMEO = 0
> TCP_QUICKACK = 1
> TCP_DEFER_ACCEPT = 0
> session request ok
> Doing spnego session setup (blob length=96) got
> OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got
> OID=1.3.6.1.4.1.311.2.2.10 got
> principal=not_defined_in_RFC4178 at please_ignore
> cli_session_setup_spnego: using target hostname not SPNEGO principal
> cli_session_setup_spnego: guessed server
> principal=cifs/dc.mtz.desoft.cu at MTZ.DESOFT.CU
> GENSEC backend 'gssapi_spnego' registered GENSEC backend
> 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl'
> registered GENSEC backend 'spnego' registered GENSEC backend
> 'schannel' registered GENSEC backend 'naclrpc_as_system'
> registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC
> backend 'ntlmssp' registered GENSEC backend
> 'ntlmssp_resume_ccache' registered GENSEC backend
> 'http_basic' registered GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered GENSEC backend
> 'fake_gssapi_krb5' registered Starting GENSEC mechanism
> spnego Starting GENSEC submechanism gse_krb5
> gss_init_sec_context failed with [ The context has expired: Success]
> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed:
> NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit
> request: NT_STATUS_INTERNAL_ERROR SPNEGO login failed: An
> internal error occurred.
> session setup failed: NT_STATUS_INTERNAL_ERROR
>
>
> ----- Mensaje original -----
> De: "samba" <samba at lists.samba.org>
> Para: "samba" <samba at lists.samba.org>
> Enviados: Viernes, 11 de Agosto 2017 4:29:32
> Asunto: [Samba] NT_STATUS_INTERNAL_ERROR and cannot join
> windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
>
> Hai,
>
> We have 2 persons with exact the same problem.
> Based on the configs shown by both personsn (Vladimir and Ing. Luis).
> I dont see issues which should case this, so as Andrew
> suggest, keep increasing the debug levels and post these.
> Lets hope we see something here, im bit puzzled about this one.
>
>
> Greetz,
>
> Louis
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Rowland Penny via samba
> > Verzonden: donderdag 10 augustus 2017 22:43
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] NT_STATUS_INTERNAL_ERROR
> >
> > On Thu, 10 Aug 2017 15:43:10 -0400 (CDT) Ing. Luis Felipe
> > DomÃnguez Vega via samba <samba at lists.samba.org> wrote:
> >
> > > Hello, a short history, I am using samba 4 with Debian 9 from the
> > > repository, 2 days ago the server was broken, but I was
> > copy all the
> > > /var/lib/samba directory to a safe place, then I was
> > installed a new
> > > server with the same Debian and samba from repository,
> and stopped
> > > smbd, nmbd and winbind, unmask samba-ad-dc and finally
> > copied all the
> > > directory from the old server to the new server and started
> > the samba,
> > > all works fine, the bind is integrated with samba_dlz,
> etc. But now
> > > when i go to join a Windows 7 PC to the domain show an error with
> > > "Internal Error". Inside the AD server i put this command
> > >
> >
> > Did you use exactly the same FQDN and ipaddress for the new
> computer ?
> >
> > >
> > > tls enabled = yes
> > > tls certfile = /var/lib/samba/private/tls/dc-cert.pem
> > > tls keyfile =
> > /var/lib/samba/private/tls/secure/dc-privkey.pem
> > > tls cafile = /var/lib/samba/private/tls/cacert.pem
> > > tls crlfile = /var/lib/samba/private/tls/mtz.desoft.cu.crl
> > > tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem
> > >
> >
> > You could try recreating the cert files.
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
> --
> Luis Felipe Dominguez Vega
> System Administration in Desoft Matanzas | Mob: [
> tel:+5353694785 | +5353694785 ] | [ http://www.desoft.cu/ |
> www.desoft.cu ]
> [ https://www.facebook.com/lfdominguez0104 | ] [
> https://www.linkedin.com/in/luis-felipe-dom%C3%ADnguez-vega-47
> 725794/ | ] [ https://twitter.com/LuisFelipeDV1 | ]
>
>
More information about the samba
mailing list