samba - Apr 2021 - Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

On Wed, 31 Mar, L.P.H. van Belle via samba wrote:
> I'll try.. 
[...]
> I hope that helped.. 
Thanks for explaining the conversion. But I am still uncertain of what
my actual problem is.

Here I have the following mapping:

root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000000)
BUILTIN\Administrators 4
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000001)
BUILTIN\Server Operators 4
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000002)
NT AUTHORITY\SYSTEM 5
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000003)
NT AUTHORITY\Authenticated Users 5
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000004)
DS\Group Policy Creator Owners 2
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000006)
DS\Enterprise Admins 2
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000008)
DS\Domain Admins 2
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000010)
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS 5

And those permissions/attributes set:

root at dc1:~# getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

root at dc1:~# getfacl /var/lib/samba/sysvol/xxx/Policies/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/xxx/Policies/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
user:3000004:rwx
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
group:3000004:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000004:rwx
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000004:rwx
default:mask::rwx
default:other::---

root at dc1:~#
getfacl
/var/lib/samba/sysvol/xxx/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
getfacl: Removing leading '/' from absolute path names # file:
var/lib/samba/sysvol/xxx/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
# owner: 3000008 # group: 3000008
user::rwx
user:3000002:rwx
user:3000003:r-x
user:3000006:rwx
user:3000010:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000008:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000008:rwx
default:user:3000010:r-x
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000006:rwx
default:group:3000008:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---

root at dc1:~# samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)

root at dc1:~# samba-tool ntacl
get /var/lib/samba/sysvol/xxx/Policies/ --as-sddl
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)

root at dc1:~# samba-tool ntacl
get /var/lib/samba/sysvol/xxx/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
--as-sddl
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

This is actually the identical state of DC1 and DC2 after I did a
"samba-tool ntacl sysvolreset" and not changed anything thereafter.

Do I understand this right, that already in those
permissions/attributes there is something wrong?

Greetings,
Stefan

On 31/03/2021 18:09, Stefan Bellon via samba wrote:
> On Wed, 31 Mar, L.P.H. van Belle via samba wrote:
>
>> I'll try..
> [...]
>> I hope that helped..
> Thanks for explaining the conversion. But I am still uncertain of what
> my actual problem is.
>
> Here I have the following mapping:
>
> root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000000)
> BUILTIN\Administrators 4
> root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000001)
> BUILTIN\Server Operators 4
> root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000002)
> NT AUTHORITY\SYSTEM 5
> root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000003)
> NT AUTHORITY\Authenticated Users 5
> root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000004)
> DS\Group Policy Creator Owners 2
> root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000006)
> DS\Enterprise Admins 2
> root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000008)
> DS\Domain Admins 2
> root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000010)
> NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS 5
>
> And those permissions/attributes set:
>
> root at dc1:~# getfacl /var/lib/samba/sysvol/
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> root at dc1:~# getfacl /var/lib/samba/sysvol/xxx/Policies/
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/xxx/Policies/
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> user:3000004:rwx
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> group:3000004:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:user:3000004:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:3000004:rwx
> default:mask::rwx
> default:other::---
>
> root at dc1:~#
> getfacl
/var/lib/samba/sysvol/xxx/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
> getfacl: Removing leading '/' from absolute path names # file:
> var/lib/samba/sysvol/xxx/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
> # owner: 3000008 # group: 3000008
> user::rwx
> user:3000002:rwx
> user:3000003:r-x
> user:3000006:rwx
> user:3000010:r-x
> group::rwx
> group:3000002:rwx
> group:3000003:r-x
> group:3000006:rwx
> group:3000008:rwx
> group:3000010:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:user:3000006:rwx
> default:user:3000008:rwx
> default:user:3000010:r-x
> default:group::---
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:3000006:rwx
> default:group:3000008:rwx
> default:group:3000010:r-x
> default:mask::rwx
> default:other::---
>
> root at dc1:~# samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
>
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
>
> root at dc1:~# samba-tool ntacl
> get /var/lib/samba/sysvol/xxx/Policies/ --as-sddl
>
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)
>
> root at dc1:~# samba-tool ntacl
> get
/var/lib/samba/sysvol/xxx/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
> --as-sddl
>
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>
> This is actually the identical state of DC1 and DC2 after I did a
> "samba-tool ntacl sysvolreset" and not changed anything
thereafter.
>
> Do I understand this right, that already in those
> permissions/attributes there is something wrong?
>
> Greetings,
> Stefan
>
No, there is nothing wrong with anything you have posted and as Andrew 
has already stated, your error message shouldn't have anything to do 
with sysvol.

At one time, running sysvolreset could wreck the permissions, this 
appears to have been because winbind couldn't map all the required 
SID's. This has been fixed, so you can now depend on 
sysvolreset/sysvolcheck, provided you never give Domain Admins a 
gidNumber attribute.

If, as you say, adding a GPO causes that message to appear in the logs, 
then it looks like a bug, but there is a gotcha, your log message refers 
to line 1086, the latest rpc_server.c code only has 717 lines, so it 
might be an idea to upgrade Samba if possible, the 'possible bug' may 
have been fixed.

Rowland

On Wed, 31 Mar, Rowland penny via samba wrote:
> At one time, running sysvolreset could wreck the permissions, this 
> appears to have been because winbind couldn't map all the required 
> SID's. This has been fixed, so you can now depend on 
> sysvolreset/sysvolcheck, provided you never give Domain Admins a 
> gidNumber attribute.
Ah, wow, just a moment ... my Domain Admins do have an gidNumber
attribute because they also map to a special admin group on the
GNU/Linux side.

What's the problem with that? Where can I read further about this
"never
give Domain Admins a gidNumber attribute" thing?
> If, as you say, adding a GPO causes that message to appear in the
> logs, then it looks like a bug, but there is a gotcha, your log
> message refers to line 1086, the latest rpc_server.c code only has
> 717 lines, so it might be an idea to upgrade Samba if possible, the
> 'possible bug' may have been fixed.
Well, Debian stable has Samba 4.9.5, so I even went with Debian testing
in order to get at least Samba 4.13.5 when setting up the two new DCs.

It looks like I have to read into how to build Samba from source then...

Greetings,
Stefan

-- 
Stefan Bellon