samba - Mar 2021 - Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

On Wed, 31 Mar, Rowland penny via samba wrote:
> OK, I 'think' I may know what is going on here with unison and if I
> am correct, unless we can come up with a fix, we may have to
> recommend not using unison.
> 
> O:LAG:BA is:
> O = owner
> LA = local Administrator
> G = group
> BA = BUILTIN\Administrators
> 
> I 'think' unison is somehow mapping
'BUILTIN\Administrators' to 'root'
Ok, so I should be using the osync approach from 
https://wiki.samba.org/index.php/Bidirectional_Rsync/osync_based_SysVol_replication_workaround
instead of unison?

Greetings,
Stefan

-- 
Stefan Bellon

On 31/03/2021 14:56, Stefan Bellon wrote:
> On Wed, 31 Mar, Rowland penny via samba wrote:
>
>> OK, I 'think' I may know what is going on here with unison and
if I
>> am correct, unless we can come up with a fix, we may have to
>> recommend not using unison.
>>
>> O:LAG:BA is:
>> O = owner
>> LA = local Administrator
>> G = group
>> BA = BUILTIN\Administrators
>>
>> I 'think' unison is somehow mapping
'BUILTIN\Administrators' to 'root'
> Ok, so I should be using the osync approach from
>
https://wiki.samba.org/index.php/Bidirectional_Rsync/osync_based_SysVol_replication_workaround
> instead of unison?
>
> Greetings,
> Stefan
>
No, it is an artefact of Louis's script, the group on 
/var/lib/samba/sysvol should not be 'root', but Louis's script is 
showing it as such and to get the correct 'name', you will have to set 
up /etc/nsswitch.conf and the winbind links on the DC.

Rowland

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
via
> samba
> Verzonden: woensdag 31 maart 2021 16:03
> Aan: sambalist
> Onderwerp: Re: [Samba] Failed to prepare gensec:
> NT_STATUS_INVALID_SERVER_STATE
> 
> On 31/03/2021 14:56, Stefan Bellon wrote:
> > On Wed, 31 Mar, Rowland penny via samba wrote:
> >
> >> OK, I 'think' I may know what is going on here with unison
and if I
> >> am correct, unless we can come up with a fix, we may have to
> >> recommend not using unison.
> >>
> >> O:LAG:BA is:
> >> O = owner
> >> LA = local Administrator
> >> G = group
> >> BA = BUILTIN\Administrators
> >>
> >> I 'think' unison is somehow mapping
'BUILTIN\Administrators' to 'root'
> > Ok, so I should be using the osync approach from
> >
> https://wiki.samba.org/index.php/Bidirectional_Rsync/osync_based_SysVol_re
> plication_workaround instead of unison?
> >
> > Greetings,
> > Stefan
> >
> No, it is an artefact of Louis's script, the group on
> /var/lib/samba/sysvol should not be 'root', but Louis's script
is
> showing it as such and to get the correct 'name', you will have to
set
> up /etc/nsswitch.conf and the winbind links on the DC.
> 
> Rowland
> 
An artefact? Heheh.. i think, i need to add that nsswitch part also in the setup
but yes, i think thats missing also, nsswitch setup.


This is my output.  (Version 4.13.7-Debian) 
Still from the same script (as used above) 

getfacl /var/lib/samba/sysvol/ 
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: BUILTIN\\administrators
user::rwx
user:root:rwx
user:BUILTIN\\administrators:rwx
user:BUILTIN\\server\040operators:r-x
user:NT\040AUTHORITY\\system:rwx
user:NT\040AUTHORITY\\authenticated\040users:r-x
group::rwx
group:BUILTIN\\administrators:rwx
group:BUILTIN\\server\040operators:r-x
group:NT\040AUTHORITY\\system:rwx
group:NT\040AUTHORITY\\authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\\administrators:rwx
default:user:BUILTIN\\server\040operators:r-x
default:user:NT\040AUTHORITY\\system:rwx
default:user:NT\040AUTHORITY\\authenticated\040users:r-x
default:group::---
default:group:BUILTIN\\administrators:rwx
default:group:BUILTIN\\server\040operators:r-x
default:group:NT\040AUTHORITY\\system:rwx
default:group:NT\040AUTHORITY\\authenticated\040users:r-x
default:mask::rwx
default:other::---

Greetz, 

Louis