samba - Mar 2021 - Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

First of all, thanks for your help and suggestions. Very much welcome.

On Wed, 31 Mar, L.P.H. van Belle via samba wrote:
> Run this one : 
>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh
> 
> And post the output, looking at our output below, 3000006 and 3000010
> should not be there,  in these outputs. So run this on both DC's and
> compair the output files.
default-rights-sysvol.acl looks identical on both DC1 and DC2:

# file: /var/lib/samba/sysvol
# owner: root
# group: root
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
> You might have forgotten to sync the idmap.tdb on the DC's. See:
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
Before I touched anything, I wrote up a guide of how to do the setup
and migration. I played it trough completely in a playground
environment with three VMs "testolddc", "testdc1", and
"testdc2". After
that "succeeded", I did the exact same steps when doing the real
"dc1"
and "dc". My documentation includes the following steps:

- on main DC1:
# rm -f /var/lib/samba/private/idmap.ldb.bak
# tdbbackup -s .bak /var/lib/samba/private/idmap.ldb
# scp /var/lib/samba/private/idmap.ldb.bak DC2

- on new DC2:
# chown root.root /var/lib/samba/private/idmap.ldb.bak
#
  mv /var/lib/samba/private/idmap.ldb.bak /var/lib/samba/private/idmap.ldb

# net cache flush
# samba-tool ntacl sysvolcheck
# samba-tool ntacl sysvolreset
# samba-tool ntacl sysvolcheck

That's what I did.
> Quote : To use a Sysvol Replication workaround, all domain
> controllers (DC) must use the same ID mappings for built-in users and
> groups. these should always be the same on all AD-DC's. And the
> 300000 range is correct for the AD-DC's.. 
I set up DC1 and DC2 from scratch in parallel (i.e. they have the same
packages installed and the same users and groups set up), using the same
Debian Bullseye image and my same step-by-step guide.
> You might want to read Debian bug , maybe it applies, i dont know,
> i've not seen it in my network.
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986168
I can confirm that when doing "klist", the ticket cache is in files
named /tmp/krb5cc_%{euid}_%{something} for all users except root, where
the ticket cache is /tmp/krb5cc_0 without the suffix.
> This may be related to Debian bug: 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968943
Not sure whether this is my setup ... I do not mount shares on UNIX
side at all, it's just the netlogon/sysvol stuff for Windows.
> It is almost surely related to Ubuntu bug number # 1900856:
> https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1900856
> (last 2 additions are from the bug report #986168)
> 
> See if this applied to you, not on the cifs part
> but on the kerberos cache part
So, do you suggest I add

[libdefaults]
    default_ccache_name = FILE:/tmp/krb5cc_%{euid}

to /etc/samba/smb.conf?

Would that however explain why sysvolcheck fails as soon as I did some
edit operation on the Windows side?

Greetings,
Stefan

-- 
Stefan Bellon

On 31/03/2021 14:09, Stefan Bellon via samba wrote:
> First of all, thanks for your help and suggestions. Very much welcome.
>
>
> default-rights-sysvol.acl looks identical on both DC1 and DC2:
> # file: /var/lib/samba/sysvol
> # owner: root
> # group: root

There is a problem, the group should be BUILTIN\\administrators which on 
my DC is 3000000:

getfacl /var/lib/samba/sysvol
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: 3000000
> I can confirm that when doing "klist", the ticket cache is in
files
> named /tmp/krb5cc_%{euid}_%{something} for all users except root, where
> the ticket cache is /tmp/krb5cc_0 without the suffix.

That is Administrator's ticket, not root's
> Not sure whether this is my setup ... I do not mount shares on UNIX
> side at all, it's just the netlogon/sysvol stuff for Windows.

Er, netlogon & sysvol are shares ?
> So, do you suggest I add
>
> [libdefaults]
>      default_ccache_name = FILE:/tmp/krb5cc_%{euid}
>
> to /etc/samba/smb.conf?

No and not even to /etc/krb5.conf
>
> Would that however explain why sysvolcheck fails as soon as I did some
> edit operation on the Windows side?

I personally think it is probably the wrong group ownership on 
/var/lib/samba/sysvol, the question has to be, how did it become 'root'
?

Rowland