samba - Mar 2021 - Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

On Wed, 2021-03-31 at 09:06 +0200, Stefan Bellon via samba
wrote:
> On Tue, 30 Mar, Stefan Bellon via samba wrote:
> 
> > [2021/03/30 11:19:46.883518,
> > 0]
> > ../../source3/rpc_server/rpc_server.c:1086(dcesrv_auth_gensec_prepa
> > re)
> > dcesrv_auth_gensec_prepare: Failed to prepare gensec:
> > NT_STATUS_INVALID_SERVER_STATE
> 
> I have the feeling this is directly connected to sysvol permissions.
That would be incredibly unlikely.  This is about failing to setup the
Kerberos code that accepts incoming tickets, so it could fail if the DC
things it is not a DC or can't find the secrets.ldb entry etc.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

On Wed, 31 Mar, Andrew Bartlett via samba wrote:
> On Wed, 2021-03-31 at 09:06 +0200, Stefan Bellon via samba wrote:
> > I have the feeling this is directly connected to sysvol
> > permissions.  
> 
> That would be incredibly unlikely.  This is about failing to setup the
> Kerberos code that accepts incoming tickets, so it could fail if the
> DC things it is not a DC or can't find the secrets.ldb entry etc.
I'm fully open to suggestions and ideas on how to debug this further.

I can only tell you my observation, that after I do a "sysvolreset"
and
do not touch the sysvol at all, neither from GNU/Linux side nor from
Windows side, then the log.smbd is completely free of those messages.

As soon as I edit a group policy on the windows side, the messages
appear in the log and also sysvolcheck reports issues.

Are the permissions that I showed in my last email correct? Is it
expected that on the GNU/Linux side the uid and gid of those folders is
something in the 3000000 range? Or is it expected that those belong to
root:root below sysvol?

Greetings,
Stefan

-- 
Stefan Bellon

Run this one : 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh

And post the output, looking at our output below, 3000006 and 3000010 should not
be there,  in these outputs.
So run this on both DC's and compair the output files. 
You might have forgotten to sync the idmap.tdb on the DC's. 
See:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
Quote : To use a Sysvol Replication workaround, all domain controllers (DC) must
use the same ID mappings for built-in users and groups.
these should always be the same on all AD-DC's. 
And the 300000 range is correct for the AD-DC's.. 

You might want to read Debian bug , maybe it applies, i dont know, i've not
seen it in my network.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986168

This may be related to Debian bug: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968943

It is almost surely related to Ubuntu bug number # 1900856:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1900856
(last 2 additions are from the bug report #986168)

See if this applied to you, not on the cifs part
but on the kerberos cache part

+ what Rowland said. ;-) good i checked the list before i mailed this. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan Bellon
via
> samba
> Verzonden: woensdag 31 maart 2021 13:03
> Aan: Andrew Bartlett via samba
> CC: Andrew Bartlett
> Onderwerp: Re: [Samba] Failed to prepare gensec:
> NT_STATUS_INVALID_SERVER_STATE
> 
> On Wed, 31 Mar, Andrew Bartlett via samba wrote:
> 
> > On Wed, 2021-03-31 at 09:06 +0200, Stefan Bellon via samba wrote:
> 
> > > I have the feeling this is directly connected to sysvol
> > > permissions.
> >
> > That would be incredibly unlikely.  This is about failing to setup the
> > Kerberos code that accepts incoming tickets, so it could fail if the
> > DC things it is not a DC or can't find the secrets.ldb entry etc.
> 
> I'm fully open to suggestions and ideas on how to debug this further.
> 
> I can only tell you my observation, that after I do a
"sysvolreset" and
> do not touch the sysvol at all, neither from GNU/Linux side nor from
> Windows side, then the log.smbd is completely free of those messages.
> 
> As soon as I edit a group policy on the windows side, the messages
> appear in the log and also sysvolcheck reports issues.
> 
> Are the permissions that I showed in my last email correct? Is it
> expected that on the GNU/Linux side the uid and gid of those folders is
> something in the 3000000 range? Or is it expected that those belong to
> root:root below sysvol?
> 
> Greetings,
> Stefan
> 
> --
> Stefan Bellon
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba