[Samba] cannot join windows 7 samba4-ad-dc fresh install, get NT_STATUS_INTERNAL_ERROR
L.P.H. van Belle
belle at bazuin.nl
Tue Aug 15 09:39:37 UTC 2017
Ok, a recap here..
I've done some extra testing.
The output shown below, matches exact with a member server setup, ill show with my tests
You wil see "wrong" command, thats correct i'll explain in the end.
( smbclient -u is wrong, smbclient -U is correct )
My tests.
... i'll show the parts that are different. ( for these member servers )
a samba 4.5.8 original debian package
kinit Administrator
klist
smbclient -L //$(hostname -f) -d9 -k
Doing spnego session setup (blob length=96)
.....
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/rtd-mem10.rotterdam.bazuin.nl at ROTTERDAM.BAZUIN.NL
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
Domain=[NTDOM] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian]
kdestroy
smbclient -L //$(hostname -f) -d9 -k
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR
smbclient -L //$(hostname -f) -d9 -uAdministrator
Typing the (correct) pass. ( but -u is wrong so this reflex to NTDOM\root )
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
( changed -u to -U )
smbclient -L //$(hostname -f) -d9 -UAdministrator
(typeing the pass)
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Domain=[NTODOM] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian]
Now same on a 4.6.7 member the same steps.
kinit Administrator
klist
smbclient -L //$(hostname -f) -d9 -k
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/rtd-mem10.internal.domain.tld at REALM
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
Domain=[NTDOM] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian]
kdestroy
smbclient -L //$(hostname -f) -d9 -k
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/member10.internal.domain.tld at REALM
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR
smbclient -L //$(hostname -f) -d9 -uAdministrator
I now just hit enter, and dont type any password, and above with (wrong -u )
session request ok
Enter BAZRTD\root's password:
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
Starting GENSEC submechanism ntlmssp
Got challenge flags:
>>>>> .. but there is more now..
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got challenge flags:
.........................
result ... ** NOTICE1
NTLMSSP Sign/Seal - using NTLM1
Anonymous login successful
OS=[Windows 6.1] Server=[Samba 4.6.7-Debian]
session setup ok
tconx ok
and a correct output.
** NOTICE1
Now same on a samba 4.6.7 AD DC. ( dont have any 4.5.8 AD DC's so cant test that atm, this is because i test in a production environment.)
kinit Administrator
klist
smbclient -L //$(hostname -f) -d9 -k
session request ok
got OID=1.2.840.48018.1.2.2
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
OS=[Windows 6.1] Server=[Samba 4.6.7-Debian]
kdestroy
smbclient -L //$(hostname -f) -d9 -uAdministrator
( again -u is wrong, reflexs to NTDOM\root )
( typing a wrong password )
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_0] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR
smbclient -L //$(hostname -f) -d9 -UAdministrator
( typing a correct password )
session request ok
Enter NTDOM\Administrator's password:
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
OS=[Windows 6.1] Server=[Samba 4.6.7-Debian]
again
smbclient -L //$(hostname -f) -d9 -UAdministrator
( typing a correct password )
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[MEMORY:cliconnect] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_DOMAIN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
is it me or, is the error output inconsistant.
I use an incorrect parameter -u. this command should not run at all.
it should error out with message unknown paramater.
I use no password, then DOM\root changed to guest and it works.
( see : ** NOTICE1 )
testparm -vs | grep guest
Load smb config files from /etc/samba/smb.conf
Processing section "[share]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
usershare allow guests = No
guest account = nobody
map to guest = Never
guest ok = No
guest only = No
For Vladimer, the server shows.
doing parameter server role = active directory domain controller
but the debug output does not show as an AD DC but member server output, at least looks to me it is.
his log shows :
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/sambadc.rona.loc at RONA.LOC
Until this part, above, that only shows in my tests on the member servers.
This is the remainin part of the error.
Kinit for Administrator to access cifs/sambadc.rona.loc at RONA.LOC failed: Preauthentication failed
SPNEGO login failed: Preauthentication failed
session setup failed: NT_STATUS_LOGON_FAILURE
SPN cifs/hostname.internal.domain.tld at REALM does not show up in my AD DC.
not in :
klist -ke /var/lib/samba/private/secrets.keytab
klist -ke /var/lib/samba/private/dns.keytab
There is no /etc/krb5.keytab on the DC's.
where is SPN cifs defined? ( host/kernel? )
On the DC running:
samba-tool spn list dc1$
does not show SPN/cifs
And same on the member.
so it still looks its setup for AD DC, due to the provisioning.
But somewhere in the backgroup there are member server settings.
I suggest, since both are using new servers, stop samba, cleanup, provision again.
systemctl stop samba-ad-dc
and to be sure :
systemctl stop samba smbd nmbd winbind
systemctl mask samba smbd nmbd winbind
systemctl disable samba smbd nmbd winbind
# Backup and cleanup.
cd /var/lib/
cp -R samba{,.backup}
rm samba/*.tdb
cd /var/lib/samba
cp -R private{,.backup}
rm private/*.tdb
cd /var/cache/samba
rm *.dat
rm *.tdb
cp -R /etc/samba{,.backup}
rm /etc/samba/smb.conf
HERE YOUR PROVISIONING COMMAND.
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc
REBOOT THE SERVER !
and check again.
Above is the only left i can think off
I think, this might be due to 2 possible problems.
Problems with the database/old member settings/leftovers or kerberos problems due to incorrect settings from start.
but i cant detect why i see a member output on the DC ( in his output ), the setup base was wong, resulting in a strange problem.
Greetz,
Louis
More information about the samba
mailing list