[Samba] NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Richard Connon richard at connon.me.uk
Tue Oct 17 12:44:45 UTC 2017

On 17/10/2017 13:18, Richard Connon via samba wrote:
> On 17/10/2017 09:54, Rowland Penny via samba wrote:
>> On Tue, 17 Oct 2017 09:29:00 +0100
>> Richard Connon via samba <samba at lists.samba.org> wrote:
>>> On 16/10/2017 19:30, Rowland Penny wrote:
>>>> Is the member server using DHCP ?
>>> Yes. Both test hosts are using DHCP with static leases for IP
>>> addresses but not for DNS domains or nameservers.
>> I wouldn't do this, I would give the DC a fixed ipaddress.
> In my production environment my DC(s) have fixed IP addresses, the use 
> of DHCP is only in my lab environment. Do you see a problem with doing 
> this as long as the IPs don't change during testing? (they are static 
> leases)
>>>> Is '' the ipaddress of the DC ?
>>> Yes
>>>> You haven't got 'security = ADS' in your smb.conf.
>>> Assuming you mean on the member, good point, but it doesn't change
>>> this behaviour. My understanding was this only affected smbd anyway,
>>> which I'm not running on the member.
>> You need it
> OK. I've set it now and see no change in behaviour.
>>>> You have 'unix password sync = yes' in smb.conf,
>>>> Do you have Unix users that are also in AD ?
>>> No, this is just a default smb.conf from debian. I assume this
>>> wouldn't actually have any affect on a member server where there is
>>> no local passdb anyway and again, removing it has no affect.
>> It wouldn't help.
> I've removed this now and see no change in behaviour.
>> And finally the biggy, are you using sssd ?
>>> No, these test hosts are very basic debian installs I've done to
>>> attempt to isolate this problem, although my "production" installs
>>> use SSSD.
>> Then it is never going to work, you have not set up winbind at all.
>> Can I suggest you go and read this:
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>> I suggest you follow it and use the 'rid' backend.
> Again, this is a production/lab difference. I didn't setup SSSD in the 
> lab to reduce the complexity. I'm simply trying to get the actual join 
> process working. I will follow through that wiki anyway to check 
> there's nothing I've missed though.
>> Rowland
Further to the above... I ran through the linked wiki. The only 
difference between the described process and my test environment at the 
moment is the smb.conf on the member. I've replaced the member's 
smb.conf with the following:

    security = ads
    workgroup = TEST
    realm = ADS.TEST.LOCAL

    log level = /var/log/samba/log.%m
    log level = 1

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

    idmap config TEST : backend = rid
    idmap config TEST : range = 10000-999999

Unfortunately the behaviour when I attempt the domain join (with and 
without -S) is still the same.
I see the error:

# net ads join -k -S dc.ads.test.local
Failed to join domain: failed to lookup DC info for domain 
'ADS.TEST.LOCAL' over rpc: An internal error occured.

More information about the samba mailing list