thr3ads.net - samba - [Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER

If this information is useful, please help other people find it:
Share via:

L.P.H. van Belle

2021-Mar-31 15:08 UTC

[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

I'll try.. 

Line 18-23. 
These SID's are common SID's .. 

Then i can do the convertion of SID 2 UID(or GID)

DC_SERVER_OPERATORS_SID2UID="wbinfo --sid-to-uid=S-1-5-32-549"

wbinfo --sid-to-uid=S-1-5-32-549
3000001

This UID is only in the AD-DB (idmap.ldb as far i know). 
now we are in the script at lines 52-79 

i use wbinfo to find all known names/UIDs/groups and set that. 

if you set uid/gid 3000001 then linux will resolve it. 
If .. nsswitch also contains winbind  
i use it like this on my AD-DC's

passwd:         files systemd winbind
group:          files systemd winbind

so next,  root = Administrator on the AD-DC already (default mapping) 

Thats basicly it, and i do that for all know 4, these. 

DC_SERVER_OPERATORS="S-1-5-32-549"
DC_ADMINISTRATORS="S-1-5-32-544"
DC_SYSTEM="S-1-5-18"
DC_AUTHENTICATED_USERS="S-1-5-11"

so.. how do i get : 
# file: var/lib/samba/sysvol/
# owner: root
# group: BUILTIN\\administrators

we know : 300001 = BUILTIN\\administrators 
so, chmod root:300001 

We cant use : root:"BUILTIN\\administrators" 
because thats not know in linux groups itself. 
But the id's will resolved with nsswitch. 

I hope that helped.. 

if not, office closing, im back tomorrow to reply. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Stefan Bellon [mailto:bellon at axivion.com]
> Verzonden: woensdag 31 maart 2021 16:47
> Aan: samba at lists.samba.org
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Failed to prepare gensec:
> NT_STATUS_INVALID_SERVER_STATE
> 
> On Wed, 31 Mar, L.P.H. van Belle via samba wrote:
> 
> > This is my output.  (Version 4.13.7-Debian)
> > Still from the same script (as used above)
> >
> > getfacl /var/lib/samba/sysvol/
> > getfacl: Removing leading '/' from absolute path names
> > # file: var/lib/samba/sysvol/
> > # owner: root
> > # group: BUILTIN\\administrators
> 
> Please help me understand ... I fail to see how the script you linked
> - with the content -
> 
> Create_DC_SYVOL_ACL_FILE () {
>     Get_DC_SERVER_OPERATORS
>     Get_DC_ADMINISTRATORS
>     Get_DC_SYSTEM
>     Get_DC_AUTHENTICATED_USERS
> 
>     RIGHTSFILE="default-rights-sysvol.acl"
>     cat << EOF > "${RIGHTSFILE}"
> # file: ${DC_SYSVOL_PATH}
> # owner: root
> # group: root
> 
> can create something different than
> 
> # group: root
> 
> in its output ... :-}
> 
> Samba 4.13.5 from Debian Bullseye (testing), BTW.
> 
> Greetings,
> Stefan
> 
> --
> Stefan Bellon

Stefan Bellon

2021-Mar-31 17:09 UTC

head link

[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

On Wed, 31 Mar, L.P.H. van Belle via samba wrote:
> I'll try.. 
[...]> I hope that helped.. 
Thanks for explaining the conversion. But I am still uncertain of what
my actual problem is.

Here I have the following mapping:

root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000000)
BUILTIN\Administrators 4
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000001)
BUILTIN\Server Operators 4
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000002)
NT AUTHORITY\SYSTEM 5
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000003)
NT AUTHORITY\Authenticated Users 5
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000004)
DS\Group Policy Creator Owners 2
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000006)
DS\Enterprise Admins 2
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000008)
DS\Domain Admins 2
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000010)
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS 5

And those permissions/attributes set:

root at dc1:~# getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

root at dc1:~# getfacl /var/lib/samba/sysvol/xxx/Policies/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/xxx/Policies/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
user:3000004:rwx
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
group:3000004:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000004:rwx
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000004:rwx
default:mask::rwx
default:other::---

root at dc1:~#
getfacl
/var/lib/samba/sysvol/xxx/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
getfacl: Removing leading '/' from absolute path names # file:
var/lib/samba/sysvol/xxx/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
# owner: 3000008 # group: 3000008
user::rwx
user:3000002:rwx
user:3000003:r-x
user:3000006:rwx
user:3000010:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000008:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000008:rwx
default:user:3000010:r-x
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000006:rwx
default:group:3000008:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---

root at dc1:~# samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)

root at dc1:~# samba-tool ntacl
get /var/lib/samba/sysvol/xxx/Policies/ --as-sddl
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)

root at dc1:~# samba-tool ntacl
get /var/lib/samba/sysvol/xxx/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
--as-sddl
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

This is actually the identical state of DC1 and DC2 after I did a
"samba-tool ntacl sysvolreset" and not changed anything thereafter.

Do I understand this right, that already in those
permissions/attributes there is something wrong?

Greetings,
Stefan

samba - Mar 2021 - Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE