samba - Mar 2021 - Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

On 31/03/2021 14:09, Stefan Bellon via samba wrote:
> First of all, thanks for your help and suggestions. Very much welcome.
>
>
> default-rights-sysvol.acl looks identical on both DC1 and DC2:
> # file: /var/lib/samba/sysvol
> # owner: root
> # group: root

There is a problem, the group should be BUILTIN\\administrators which on 
my DC is 3000000:

getfacl /var/lib/samba/sysvol
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: 3000000
> I can confirm that when doing "klist", the ticket cache is in
files
> named /tmp/krb5cc_%{euid}_%{something} for all users except root, where
> the ticket cache is /tmp/krb5cc_0 without the suffix.

That is Administrator's ticket, not root's
> Not sure whether this is my setup ... I do not mount shares on UNIX
> side at all, it's just the netlogon/sysvol stuff for Windows.

Er, netlogon & sysvol are shares ?
> So, do you suggest I add
>
> [libdefaults]
>      default_ccache_name = FILE:/tmp/krb5cc_%{euid}
>
> to /etc/samba/smb.conf?

No and not even to /etc/krb5.conf
>
> Would that however explain why sysvolcheck fails as soon as I did some
> edit operation on the Windows side?

I personally think it is probably the wrong group ownership on 
/var/lib/samba/sysvol, the question has to be, how did it become 'root'
?

Rowland

On Wed, 31 Mar, Rowland penny via samba wrote:
> > default-rights-sysvol.acl looks identical on both DC1 and DC2:
> > # file: /var/lib/samba/sysvol
> > # owner: root
> > # group: root  
> 
> There is a problem, the group should be BUILTIN\\administrators which
> on my DC is 3000000:
> 
> getfacl /var/lib/samba/sysvol
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol
> # owner: root
> # group: 3000000
Interestingly enough, when directly using getfacl
on /var/lib/samba/sysvol, I *also* get the group as 3000000 (on both
DCs):

root at dc1:~# getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

root at dc2:~# getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

The output I pasted last time was the output of the script
samba-check-set-sysvol.sh where group is listed as "root" as opposed
to
"3000000" when calling getfacl directly ...

Does this shed any lights on something? ;-)
> > I can confirm that when doing "klist", the ticket cache is
in files
> > named /tmp/krb5cc_%{euid}_%{something} for all users except root,
> > where the ticket cache is /tmp/krb5cc_0 without the suffix.  
> 
> That is Administrator's ticket, not root's
Ok, yes, sorry, I got confused because for test purposes I fetched the
ticket with user root, but of course I did "kinit administrator".
> > Not sure whether this is my setup ... I do not mount shares on UNIX
> > side at all, it's just the netlogon/sysvol stuff for Windows.  
> 
> Er, netlogon & sysvol are shares ?
Right you are. ;-)

What I meant to say is, that I do not mount those shares on GNU/Linux
and therefore I am not sure whether
> Shares on clients are mounted with multiuser,cifsacl via autofs.
>
(fstype=cifs,rw,multiuser,cifsacl,username=cifsmount,soft,sec=krb5i,vers=3.0)
applies to me setup.
> > So, do you suggest I add
> >
> > [libdefaults]
> >      default_ccache_name = FILE:/tmp/krb5cc_%{euid}
> >
> > to /etc/samba/smb.conf?  
> 
> No and not even to /etc/krb5.conf
Sorry, /etc/krb5.conf it is.
> > Would that however explain why sysvolcheck fails as soon as I did
> > some edit operation on the Windows side?  
> 
> I personally think it is probably the wrong group ownership on 
> /var/lib/samba/sysvol, the question has to be, how did it become
> 'root' ?
I rather wonder why getfacl and samba-check-set-sysvol.sh produce a
different output regarding the "group" membership.

Greetings,
Stefan

-- 
Stefan Bellon