[Samba] SPNEGO login failed: An internal error occurred

Gregor Burck gregor at aeppelbroe.de
Mon Sep 4 12:34:41 UTC 2017 

Hi,

I setup a test envirement on a dedicatet server.

OS: debian stretch
samba: 4.5.8
smbclient: 4.5.8

I set it up as DC, the provision work well, yes I've delete the  
smb.conf in advance.
When I test kinit I got an kerberos ticket, but I've problems with  
smbclient either I use kerberos or password auth.

Myabee someone could help me?

my smb.conf:

# Global parameters
[global]
  netbios name = MX01
  realm = RABADANTEN.DE
  workgroup = RABADANTEN
  dns forwarder = 8.8.8.8
  server role = active directory domain controller

[netlogon]
  path = /var/lib/samba/sysvol/rabadanten.de/scripts
  read only = No

[sysvol]
  path = /var/lib/samba/sysvol
  read only = No

my krb5.conf:

[libdefaults]
  default_realm = RABADANTEN.DE
  dns_lookup_realm = false
  dns_lookup_kdc = true

when I try with 'smbclient -L localhost -UAdministrator -d3' :
<start>
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface eth0 ip=2a02:248:2:32b3:5054:ff:fe80:7b7 bcast=  
netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=195.62.123.31 bcast=195.62.123.31  
netmask=255.255.255.255
Client started (version 4.5.8-Debian).
Enter Administrator's password:
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name localhost<0x20>
Connecting to ::1 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore GENSEC backend  
'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR
</stop>

with 'smbclient -L //mx01 -k -d6':

<start>
INFO: Current debug levels:
  all: 6
  tdb: 6
  printdrivers: 6
  lanman: 6
  smb: 6
  rpc_parse: 6
  rpc_srv: 6
  rpc_cli: 6
  passdb: 6
  sam: 6
  auth: 6
  winbind: 6
  vfs: 6
  idmap: 6
  quota: 6
  acls: 6
  locking: 6
  msdfs: 6
  dmapi: 6
  registry: 6
  scavenger: 6
  dns: 6
  ldb: 6
  tevent: 6
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 6
  tdb: 6
  printdrivers: 6
  lanman: 6
  smb: 6
  rpc_parse: 6
  rpc_srv: 6
  rpc_cli: 6
  passdb: 6
  sam: 6
  auth: 6
  winbind: 6
  vfs: 6
  idmap: 6
  quota: 6
  acls: 6
  locking: 6
  msdfs: 6
  dmapi: 6
  registry: 6
  scavenger: 6
  dns: 6
  ldb: 6
  tevent: 6
Processing section "[global]"
doing parameter netbios name = MX01
doing parameter realm = RABADANTEN.DE
doing parameter workgroup = RABADANTEN
doing parameter dns forwarder = 8.8.8.8
doing parameter server role = active directory domain controller
pm_process() returned Yes
added interface eth0 ip=2a02:248:2:32b3:5054:ff:fe80:7b7 bcast=  
netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=195.62.123.31 bcast=195.62.123.31  
netmask=255.255.255.255
Netbios name list:-
my_netbios_names[0]="MX01"
Client started (version 4.5.8-Debian).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'RABADANTEN.DE'
name mx01#20 found.
Connecting to 127.0.1.1 at port 445
Socket options:
  SO_KEEPALIVE = 0
  SO_REUSEADDR = 0
  SO_BROADCAST = 0
  TCP_NODELAY = 1
  TCP_KEEPCNT = 9
  TCP_KEEPIDLE = 7200
  TCP_KEEPINTVL = 75
  IPTOS_LOWDELAY = 0
  IPTOS_THROUGHPUT = 0
  SO_REUSEPORT = 0
  SO_SNDBUF = 2626560
  SO_RCVBUF = 1061808
  SO_SNDLOWAT = 1
  SO_RCVLOWAT = 1
  SO_SNDTIMEO = 0
  SO_RCVTIMEO = 0
  TCP_QUICKACK = 1
  TCP_DEFER_ACCEPT = 0
  session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore  
cli_session_setup_spnego: using target hostname not SPNEGO principal
kerberos_get_default_realm_from_ccache: Trying to read krb5 cache:  
FILE:/tmp/krb5cc_0
cli_session_setup_spnego: guessed server  
principal=cifs/mx01 at RABADANTEN.DE GENSEC backend 'gssapi_spnego'  
registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
kerberos_get_default_realm_from_ccache: Trying to read krb5 cache:  
FILE:/tmp/krb5cc_0
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR
</stop>

More information about the samba mailing list