Rowland penny
2021-Mar-31 13:45 UTC
[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
On 31/03/2021 13:56, Stefan Bellon wrote:> Thanks a lot for helping me with this issue, very much appreciated. > > On Wed, 31 Mar, Rowland penny via samba wrote: >> On 31/03/2021 12:03, Stefan Bellon via samba wrote: >> >>> As soon as I edit a group policy on the windows side, the messages >>> appear in the log and also sysvolcheck reports issues. >> Have you modified your users or groups in any way ? > I have not knowingly. I cannot say for sure regarding people that > worked on the old Samba domain before it was handed over to me to take > care of it. > >>> Are the permissions that I showed in my last email correct? Is it >>> expected that on the GNU/Linux side the uid and gid of those >>> folders is something in the 3000000 range? >> Yes, as standard, all users and groups on a Samba AD DC have ID's in >> the '3000000' range. >> >>> Or is it expected that those belong to >>> root:root below sysvol? >> No it isn't. > Then I'm wondering how the unison sysvol replication is supposed to > work. After following > > https://wiki.samba.org/index.php/Bidirectional_Rsync/Unison_based_SysVol_replication_workaround > > I ended up getting the sysvol on DC2 with root:root and different UNIX > permissions than on DC1 until I added > > owner=true > group=true > perms=0o1777 > > to the /root/.unison/default.prf. With that I get an - at least to my > eye - exact identical copy of sysvol on DC2. > >> What is the output of 'sudo samba-tool ntacl >> get /var/lib/samba/sysvol --as-sddl' > root at dc1:~# samba-tool ntacl get /var/lib/samba/sysvol --as-sddl > O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) > > root at dc2:~# samba-tool ntacl get /var/lib/samba/sysvol --as-sddl > O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) > > Greetings, > Stefan >OK, I 'think' I may know what is going on here with unison and if I am correct, unless we can come up with a fix, we may have to recommend not using unison. O:LAG:BA is: O = owner LA = local Administrator G = group BA = BUILTIN\Administrators I 'think' unison is somehow mapping 'BUILTIN\Administrators' to 'root' Rowland
Stefan Bellon
2021-Mar-31 13:56 UTC
[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
On Wed, 31 Mar, Rowland penny via samba wrote:> OK, I 'think' I may know what is going on here with unison and if I > am correct, unless we can come up with a fix, we may have to > recommend not using unison. > > O:LAG:BA is: > O = owner > LA = local Administrator > G = group > BA = BUILTIN\Administrators > > I 'think' unison is somehow mapping 'BUILTIN\Administrators' to 'root'Ok, so I should be using the osync approach from https://wiki.samba.org/index.php/Bidirectional_Rsync/osync_based_SysVol_replication_workaround instead of unison? Greetings, Stefan -- Stefan Bellon