samba - Mar 2021 - Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

On Wed, 31 Mar, Andrew Bartlett via samba wrote:
> On Wed, 2021-03-31 at 09:06 +0200, Stefan Bellon via samba wrote:
> > I have the feeling this is directly connected to sysvol
> > permissions.  
> 
> That would be incredibly unlikely.  This is about failing to setup the
> Kerberos code that accepts incoming tickets, so it could fail if the
> DC things it is not a DC or can't find the secrets.ldb entry etc.
I'm fully open to suggestions and ideas on how to debug this further.

I can only tell you my observation, that after I do a "sysvolreset"
and
do not touch the sysvol at all, neither from GNU/Linux side nor from
Windows side, then the log.smbd is completely free of those messages.

As soon as I edit a group policy on the windows side, the messages
appear in the log and also sysvolcheck reports issues.

Are the permissions that I showed in my last email correct? Is it
expected that on the GNU/Linux side the uid and gid of those folders is
something in the 3000000 range? Or is it expected that those belong to
root:root below sysvol?

Greetings,
Stefan

-- 
Stefan Bellon

On 31/03/2021 12:03, Stefan Bellon via samba wrote:
> On Wed, 31 Mar, Andrew Bartlett via samba wrote:
>
>> On Wed, 2021-03-31 at 09:06 +0200, Stefan Bellon via samba wrote:
>>> I have the feeling this is directly connected to sysvol
>>> permissions.
>> That would be incredibly unlikely.  This is about failing to setup the
>> Kerberos code that accepts incoming tickets, so it could fail if the
>> DC things it is not a DC or can't find the secrets.ldb entry etc.
> I'm fully open to suggestions and ideas on how to debug this further.
>
> I can only tell you my observation, that after I do a
"sysvolreset" and
> do not touch the sysvol at all, neither from GNU/Linux side nor from
> Windows side, then the log.smbd is completely free of those messages.
>
> As soon as I edit a group policy on the windows side, the messages
> appear in the log and also sysvolcheck reports issues.

Have you modified your users or groups in any way ?
>
> Are the permissions that I showed in my last email correct? Is it
> expected that on the GNU/Linux side the uid and gid of those folders is
> something in the 3000000 range?

Yes, as standard, all users and groups on a Samba AD DC have ID's in the 
'3000000' range.
> Or is it expected that those belong to
> root:root below sysvol?

No it isn't.

What is the output of 'sudo samba-tool ntacl get /var/lib/samba/sysvol 
--as-sddl'

Rowland

>
> Greetings,
> Stefan
>

On Wed, 2021-03-31 at 13:03 +0200, Stefan Bellon via samba
wrote:
> On Wed, 31 Mar, Andrew Bartlett via samba wrote:
> 
> > On Wed, 2021-03-31 at 09:06 +0200, Stefan Bellon via samba wrote:
> > > I have the feeling this is directly connected to sysvol
> > > permissions.  
> > 
> > That would be incredibly unlikely.  This is about failing to setup
> > the
> > Kerberos code that accepts incoming tickets, so it could fail if
> > the
> > DC things it is not a DC or can't find the secrets.ldb entry etc.
> 
> I'm fully open to suggestions and ideas on how to debug this further.
> 
> I can only tell you my observation, that after I do a
"sysvolreset"
> and
> do not touch the sysvol at all, neither from GNU/Linux side nor from
> Windows side, then the log.smbd is completely free of those messages.
> 
> As soon as I edit a group policy on the windows side, the messages
> appear in the log and also sysvolcheck reports issues.
Very strange.  The two are simply not connected, but perhaps having bad
sysvol permissions causes the client to connect to something different
on the server.  Turning up the log level would tell you what was
unexpected.

Andrew Bartlett
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions