Ubuntu – Why does Samba4 fail with NT_STATUS_INTERNAL_ERROR on Ubuntu 18.04

domain-controllersambasamba4Ubuntuubuntu-18.04

I am having trouble setting up Samba as an AD DC. At present I have 1 Ubuntu box which I’d like to use to share files with other computers in my home network. At present the same machine which servers as the DC would also serve the files.

This is a home setup, meaning that I am using a consumer-grade router.

OS: Ubuntu 18.04
Samba: Version 4.7.6-Ubuntu

To begin each iteration of my attempts to get it working I perform the recommended steps to kill any samba processes etc and remove the files discussed in Preparing the Installation from the setup guide https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

$ ps ax | egrep "samba|smbd|nmbd|winbindd"

I then kill all processes as described.

I verify that samba is installed

$ which samba
/usr/sbin/samba
$ samba --version
Version 4.7.6-Ubuntu

The instructions also read

Verify that the /etc/hosts file on the DC correctly resolves the fully-qualified domain name (FQDN) and short host name to the LAN IP address of the DC. For example:

The exact contents are

127.0.0.1       localhost localhost.localdomain
192.168.1.1     DC1.samdom.example.com DC1


# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Note that the Ubuntu box’s IP on the local network is 192.168.1.20 192.168.1.1 is the LAN IP found on my router under the LAN tab and IP Address field. Note I do not have DDNS turned on for my router.

$ sudo samba-tool domain provision --use-rfc2307 --interactive
Realm: SAMDOM.EXAMPLE.COM
 Domain [SAMDOM]: SAMDOM
 Server Role (dc, member, standalone) [dc]: dc
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.1]: 8.8.8.8
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=samdom,DC=example,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=samdom,DC=example,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba AD server will be ready to use
Server Role:           active directory domain controller
Hostname:              zoo-vault
NetBIOS Domain:        SAMDOM
DNS Domain:            samdom.example.com
DOMAIN SID:            …

Great, so far so good. I copy the krb5.conf file as suggested to /etc/krb5.conf.

I skip the Setting up the AD DNS back end as I am using SAMBA_INTERNAL

My /etc/resolv.conf looks like

# Generated by NetworkManager
search samdom.example.com
nameserver 192.168.1.1

I skip Create a reverse zone and then copy the kerberos file as suggested.

This is where it goes wrong. I’ve started samba with sudo samba, the processes look like they are running but any of the following verification commands given in the documentation do not work.

$ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter SAMDOM\Administrator's password:
session setup failed: NT_STATUS_INTERNAL_ERROR
$ host -t SRV _ldap._tcp.samdom.example.com.
Host _ldap._tcp.samdom.example.com. not found: 3(NXDOMAIN)
$ host -t SRV _kerberos._udp.samdom.example.com.
Host _kerberos._udp.samdom.example.com. not found: 3(NXDOMAIN)
$ host -t A dc1.samdom.example.com.
Host dc1.samdom.example.com. not found: 3(NXDOMAIN)

I’m at somewhat of a loss here.

A few things to note. My ubuntu machine’s static IP on my local network is NOT 192.168.1.1 (the IP I used in the config steps above). It is 192.168.1.20. I’ve tried using that IP as well, to no avail.

I have also tried using none, 192.168.1.1 and 8.8.8.8 as the DNS forwarder IP address during setup to no avail.

I have found some articles online variously offering solutions or further test functions but have yet to find anything that solves my problem.

In the end I would like to set up Samba to function as a

Best Answer

I installed Samba on Debian 9 only with

apt install samba

and got the same failure. Had to add winbind (and smbclient)

apt install winbind

Related Solutions

Samba – Can Samba4 create files with a GID other than AD’s “Primary Group”

IRL it does not matter what group owns the files in user's personal folder: no one should have a way to mount it except for user the owner. Here's my config for "homes" share:

[homes]
    comment = %S: personal folder
    valid users = @MYDOMAIN\my-subdomain-users
    read only = No
    browseable = No
    browsable = No
#    root preexec = /usr/local/sbin/mkhomedir.sh %D %S
    volume = %U-%S
    vfs objects = recycle:keeptree=yes
    create mask = 700
    directory mask = 700
    path = /home/%D/%U

Note the masks: I prohibit any access to files and folders for all users and groups except for the owner (700). You on contrary ALLOW the full access for group. Do you really need that on personal folders?

PS. As to commented "root preexec": older SAMBAs (before 4) could not auto-create home directories and needed such "medical crutch". Also note the path: I created symlink for my subdomain (I will not allow use this share for users from other subdomains): /home/MYDOMAIN --> /var/samba/homes/MYDOMAIN and samba creates users' subdirs inside the path specified: %D replaced with MYDOMAIN and %U - with user's logon name.

Ubuntu – Problems joining Ubuntu desktop to Active Directory domain using Samba

It may be a DNS issue. Check DNS for the DC01.domain.com.au server:

$ nslookup DC01 # or dig if you prefer
$ nslookup DC01.domain.com.au
$ nslookup w.x.y.z # IP address

Similarly, ensure your client resolves correctly in DNS forwards and backwards, with the correct DNS search path:

$ nslookup HOSTNAME
$ nslookup HOSTNAME.domain.com.au
$ nslookup w.x.y.z # IP address

Try forcing the use of a particular KDC, at least for the join. It's not ideal to do this but it may help in the event of DNS issues.

In /etc/krb5.conf:

[realms]
        DOMAIN.COM.AU = {
                kdc = dc01.domain.com.au
        }

In /etc/smb.conf:

[global]
        password server = dc01.domain.com.au

Also try net ads join -U adminuser instead of the -k option.

The examples I've seen have udp_preference_limit = 1 instead of udp_preference_limit = 0 but this is probably doesn't matter.

Logging in /etc/krb5.conf is only for the server side I believe.

Best Answer

Related Solutions

Samba – Can Samba4 create files with a GID other than AD’s “Primary Group”

Ubuntu – Problems joining Ubuntu desktop to Active Directory domain using Samba

Related Topic