Stefan Bellon
2021-Mar-31 07:06 UTC
[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
On Tue, 30 Mar, Stefan Bellon via samba wrote:> [2021/03/30 11:19:46.883518, > 0] ../../source3/rpc_server/rpc_server.c:1086(dcesrv_auth_gensec_prepare) > dcesrv_auth_gensec_prepare: Failed to prepare gensec: > NT_STATUS_INVALID_SERVER_STATEI have the feeling this is directly connected to sysvol permissions. I observed that when I edit stuff in GPMC and get those messages in the log, then afterwards a sysvolcheck will fail and the messages keep coming even on successful domain user login. If I resetsysvol and do not touch GPMC afterwards, then the log messages do not appear (till the next action that most likely messes with the sysvol permissions). As the sysvol is the part that was not set up afresh on the new DCs but copied over from the old Samba, I wonder whether this is broken: root at dc1:~# cd /var/lib/samba/ root at dc1:~# ls -ald sysvol/ drwxrwx---+ 3 root 3000000 4096 Mar 30 23:22 sysvol/ root at dc1:~# ls -ald sysvol/xxx/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/ drwxrwx---+ 4 3000008 3000008 4096 Mar 30 13:03 sysvol/xxx/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/ root at dc1:~# getfacl sysvol/ # file: sysvol # owner: root # group: 3000000 user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- root at dc1:~# getfacl sysvol/xxx/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/ # file: sysvol/xxx/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/ # owner: 3000008 # group: 3000008 user::rwx user:3000002:rwx user:3000003:r-x user:3000006:rwx user:3000010:r-x group::rwx group:3000002:rwx group:3000003:r-x group:3000006:rwx group:3000008:rwx group:3000010:r-x mask::rwx other::--- default:user::rwx default:user:3000002:rwx default:user:3000003:r-x default:user:3000006:rwx default:user:3000008:rwx default:user:3000010:r-x default:group::--- default:group:3000002:rwx default:group:3000003:r-x default:group:3000006:rwx default:group:3000008:rwx default:group:3000010:r-x default:mask::rwx default:other::--- First of all, I'm unsure of whether it's correct that the UNIX uid/gid (root:3000000 and 3000008:3000008) are set on the folders or whether they should just belong to root:root? And secondly, I'm wondering whether the acl premissions are correct either. The UIDs resolve as follows: root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000000) BUILTIN\Administrators 4 root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000001) BUILTIN\Server Operators 4 root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000002) NT AUTHORITY\SYSTEM 5 root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000003) NT AUTHORITY\Authenticated Users 5 root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000004) DS\Group Policy Creator Owners 2 root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000006) DS\Enterprise Admins 2 root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000008) DS\Domain Admins 2 root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000010) NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS 5 Any help would be very welcomed. Greetings, Stefan -- Stefan Bellon
Andrew Bartlett
2021-Mar-31 07:17 UTC
[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
On Wed, 2021-03-31 at 09:06 +0200, Stefan Bellon via samba wrote:> On Tue, 30 Mar, Stefan Bellon via samba wrote: > > > [2021/03/30 11:19:46.883518, > > 0] > > ../../source3/rpc_server/rpc_server.c:1086(dcesrv_auth_gensec_prepa > > re) > > dcesrv_auth_gensec_prepare: Failed to prepare gensec: > > NT_STATUS_INVALID_SERVER_STATE > > I have the feeling this is directly connected to sysvol permissions.That would be incredibly unlikely. This is about failing to setup the Kerberos code that accepts incoming tickets, so it could fail if the DC things it is not a DC or can't find the secrets.ldb entry etc. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions