samba - Nov 2021 - Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

I'm seeing the same issue since updating to 4.13 on my Ubuntu system and 
I have done additional debugging and reported an issue for the Ubuntu 
package at https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1951490.

To sum it up here aswell:

Enabling debug logs show that this is caused by the ownership of a 
directory which samba complains is not matching:

[2021/11/19 01:48:37.482365, 4, effective(30000XX, 100), real(30000XX, 
0)] 
../../source3/rpc_server/rpc_ncacn_np.c:110(make_internal_rpc_pipe_socketpair)
 ? Create of internal pipe \pipe\spoolss requested
[2021/11/19 01:48:37.485785, 3, effective(30000XX, 100), real(30000XX, 
0)] ../../lib/util/util.c:483(directory_create_or_exist_strict)
 ? directory_create_or_exist_strict: invalid ownership on directory 
/var/lib/samba/private/msg.sock
[2021/11/19 01:48:37.485807, 1, effective(30000XX, 100), real(30000XX, 
0)] ../../source3/auth/auth_samba4.c:248(prepare_gensec)
 ? imessaging_init failed

The issue is caused by /var/lib/samba/private/msg.sock being owned by 
root:root in my case (and it gets created with those permissions aswell 
if I delete it), but 
https://github.com/samba-team/samba/blob/db11778b57610e24324aa4342f89918f66157d71/source4/lib/messaging/messaging.c#L507
uses geteuid() which is sometimes the user ID of the connecting user (as 
can be seen above, XX is the number that represents the uid of the 
windows user connecting).

I am not sure if this is related to my "unable to print"-issue but
this
happens whenever I try to print and whenever the print queue is 
refreshed by a client.

On Mon, 2021-11-22 at 19:46 +0100, Flole via samba
wrote:
> I'm seeing the same issue since updating to 4.13 on my Ubuntu system
> and 
> I have done additional debugging and reported an issue for the
> Ubuntu 
> package at 
> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1951490.
> 
> To sum it up here aswell:
> 
> Enabling debug logs show that this is caused by the ownership of a 
> directory which samba complains is not matching:
> 
> [2021/11/19 01:48:37.482365, 4, effective(30000XX, 100),
> real(30000XX, 
> 0)] 
> ../../source3/rpc_server/rpc_ncacn_np.c:110(make_internal_rpc_pipe_so
> cketpair)
>    Create of internal pipe \pipe\spoolss requested
> [2021/11/19 01:48:37.485785, 3, effective(30000XX, 100),
> real(30000XX, 
> 0)] ../../lib/util/util.c:483(directory_create_or_exist_strict)
>    directory_create_or_exist_strict: invalid ownership on directory 
> /var/lib/samba/private/msg.sock
> [2021/11/19 01:48:37.485807, 1, effective(30000XX, 100),
> real(30000XX, 
> 0)] ../../source3/auth/auth_samba4.c:248(prepare_gensec)
>    imessaging_init failed
> 
> The issue is caused by /var/lib/samba/private/msg.sock being owned
> by 
> root:root in my case (and it gets created with those permissions
> aswell 
> if I delete it), but 
>
https://github.com/samba-team/samba/blob/db11778b57610e24324aa4342f89918f66157d71/source4/lib/messaging/messaging.c#L507
> uses geteuid() which is sometimes the user ID of the connecting user
> (as 
> can be seen above, XX is the number that represents the uid of the 
> windows user connecting).
> 
> I am not sure if this is related to my "unable to print"-issue
but
> this 
> happens whenever I try to print and whenever the print queue is 
> refreshed by a client.
Thanks for looking into this.  This looks like something you should
report in our bugzilla (not much can be done on the Ubuntu side, so the
launchpad report is only useful to attempt to get the fix backported
there).  Regardless I've sent you an invite.  

Here is the privacy disclaimer, if you are OK with that please finish
creating the account:


  A user account is required to report new bugs or to comment into
  existing ones, as you may be contacted for more information if
needed.
  This also lets other users clearly identify who is the author of
comments
  or changes made into bugs. Note that your email address will
  never be displayed to logged out users. Only registered users will be
  able to see it.




  PRIVACY NOTICE: The Samba-Bugzilla is an open bug
  tracking system. Activity on most bugs, including email
  addresses, will be visible to registered users. We recommend using a
  secondary account or free web email service (such as Gmail, Yahoo,
  Hotmail, or similar) to avoid receiving spam at your primary email
address.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions