samba - Mar 2021 - Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

On 31/03/2021 12:03, Stefan Bellon via samba wrote:
> On Wed, 31 Mar, Andrew Bartlett via samba wrote:
>
>> On Wed, 2021-03-31 at 09:06 +0200, Stefan Bellon via samba wrote:
>>> I have the feeling this is directly connected to sysvol
>>> permissions.
>> That would be incredibly unlikely.  This is about failing to setup the
>> Kerberos code that accepts incoming tickets, so it could fail if the
>> DC things it is not a DC or can't find the secrets.ldb entry etc.
> I'm fully open to suggestions and ideas on how to debug this further.
>
> I can only tell you my observation, that after I do a
"sysvolreset" and
> do not touch the sysvol at all, neither from GNU/Linux side nor from
> Windows side, then the log.smbd is completely free of those messages.
>
> As soon as I edit a group policy on the windows side, the messages
> appear in the log and also sysvolcheck reports issues.

Have you modified your users or groups in any way ?
>
> Are the permissions that I showed in my last email correct? Is it
> expected that on the GNU/Linux side the uid and gid of those folders is
> something in the 3000000 range?

Yes, as standard, all users and groups on a Samba AD DC have ID's in the 
'3000000' range.
> Or is it expected that those belong to
> root:root below sysvol?

No it isn't.

What is the output of 'sudo samba-tool ntacl get /var/lib/samba/sysvol 
--as-sddl'

Rowland

>
> Greetings,
> Stefan
>

Thanks a lot for helping me with this issue, very much appreciated.

On Wed, 31 Mar, Rowland penny via samba wrote:
> On 31/03/2021 12:03, Stefan Bellon via samba wrote:
>
> > As soon as I edit a group policy on the windows side, the messages
> > appear in the log and also sysvolcheck reports issues.  
> 
> Have you modified your users or groups in any way ?
I have not knowingly. I cannot say for sure regarding people that
worked on the old Samba domain before it was handed over to me to take
care of it.
> > Are the permissions that I showed in my last email correct? Is it
> > expected that on the GNU/Linux side the uid and gid of those
> > folders is something in the 3000000 range?  
> 
> Yes, as standard, all users and groups on a Samba AD DC have ID's in
> the '3000000' range.
>
> > Or is it expected that those belong to
> > root:root below sysvol?  
> 
> No it isn't.
Then I'm wondering how the unison sysvol replication is supposed to
work. After following

https://wiki.samba.org/index.php/Bidirectional_Rsync/Unison_based_SysVol_replication_workaround

I ended up getting the sysvol on DC2 with root:root and different UNIX
permissions than on DC1 until I added

owner=true
group=true
perms=0o1777

to the /root/.unison/default.prf. With that I get an - at least to my
eye - exact identical copy of sysvol on DC2.
> What is the output of 'sudo samba-tool ntacl
> get /var/lib/samba/sysvol --as-sddl'
root at dc1:~# samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)

root at dc2:~# samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)

Greetings,
Stefan

-- 
Stefan Bellon

On Wed, 31 Mar, Rowland penny via samba wrote:
> What is the output of 'sudo samba-tool ntacl
> get /var/lib/samba/sysvol --as-sddl'
BTW: Would it make sense to run "samba-tool ntacl get --as-sddl"
on /var/lib/samba/sysvol and
on /var/lib/samba/sysvol/xxx/Policies/{some_policy} once after
"sysvolreset", before editing something in GPMC, and a second time
after
doing some edits, in order to see whether there's a difference and what
the difference is?

Or am I barking up the wrong tree?

Greetings,
Stefan

-- 
Stefan Bellon