[Samba] NT_STATUS_INTERNAL_ERROR from RPC server on samba 4.5.8 AD DC

Richard Connon richard at connon.me.uk
Tue Oct 17 13:08:40 UTC 2017 

On 17/10/2017 13:56, Rowland Penny via samba wrote:

> On Tue, 17 Oct 2017 13:18:46 +0100
> Richard Connon via samba <samba at lists.samba.org> wrote:
>
>>
>> On 17/10/2017 09:54, Rowland Penny via samba wrote:
>>> On Tue, 17 Oct 2017 09:29:00 +0100
>>> Richard Connon via samba <samba at lists.samba.org> wrote:
>>>
>>>> On 16/10/2017 19:30, Rowland Penny wrote:
>>>>> Is the member server using DHCP ?
>>>> Yes. Both test hosts are using DHCP with static leases for IP
>>>> addresses but not for DNS domains or nameservers.
>>> I wouldn't do this, I would give the DC a fixed ipaddress.
>> In my production environment my DC(s) have fixed IP addresses, the
>> use of DHCP is only in my lab environment. Do you see a problem with
>> doing this as long as the IPs don't change during testing? (they are
>> static leases)
>>>>> Is '10.0.2.15' the ipaddress of the DC ?
>>>> Yes
>>>>> You haven't got 'security = ADS' in your smb.conf.
>>>> Assuming you mean on the member, good point, but it doesn't change
>>>> this behaviour. My understanding was this only affected smbd
>>>> anyway, which I'm not running on the member.
>>> You need it
>> OK. I've set it now and see no change in behaviour.
>>>>> You have 'unix password sync = yes' in smb.conf,
>>>>> Do you have Unix users that are also in AD ?
>>>> No, this is just a default smb.conf from debian. I assume this
>>>> wouldn't actually have any affect on a member server where there is
>>>> no local passdb anyway and again, removing it has no affect.
>>> It wouldn't help.
>> I've removed this now and see no change in behaviour.
>>> And finally the biggy, are you using sssd ?
>>>> No, these test hosts are very basic debian installs I've done to
>>>> attempt to isolate this problem, although my "production" installs
>>>> use SSSD.
>>> Then it is never going to work, you have not set up winbind at all.
>>>
>>> Can I suggest you go and read this:
>>>
>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>>
>>> I suggest you follow it and use the 'rid' backend.
>> Again, this is a production/lab difference. I didn't setup SSSD in
>> the lab to reduce the complexity. I'm simply trying to get the actual
>> join process working. I will follow through that wiki anyway to check
>> there's nothing I've missed though.
>>> Rowland
>>>
> Try this smb.conf on the domain member:
>
> [global]
>      workgroup = TEST
>      security = ADS
>      realm = ADS.TEST.LOCAL
>
>      winbind use default domain = yes
>      winbind expand groups = 4
>      winbind refresh tickets = Yes
>      winbind offline logon = yes
>
>      idmap config *:backend = tdb
>      idmap config *:range = 2000-9999
>      idmap config TEST : backend = rid
>      idmap config TEST : range = 10000-999999
>      template shell = /bin/bash
>      template homedir = /home/%U
>
>      domain master = no
>      local master = no
>      preferred master = no
>      os level = 20
>      map to guest = bad user
>      host msdfs = no
>
>      vfs objects = acl_xattr
>      map acl inherit = Yes
>      store dos attributes = Yes
>
> If 'net ads join -U Administrator' doesn't work, then you need to look
> elsewhere, is a firewall in the way, is Apparmor running and getting in
> the way
>
> Rowland
>
>
I tried this template and the behaviour still doesn't change. There is 
no firewall between the hosts, they are in the same subnet. Apparmor is 
not running on either host.

Earlier I tried to isolate the problem by just connecting to the RPC 
server using rpcclient. Should this work correctly?

More information about the samba mailing list