Marcel de Reuver
2021-Nov-03 11:01 UTC
[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
My logging is flooded with these notifications: [2021/11/03 11:53:51.573128, 0]
../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
dcesrv_auth_gensec_prepare: Failed to prepare gensec:
NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.683035, 0]
../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
dcesrv_auth_gensec_prepare: Failed to prepare gensec:
NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.710025, 0]
../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
dcesrv_auth_gensec_prepare: Failed to prepare gensec:
NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.842878, 0]
../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
dcesrv_auth_gensec_prepare: Failed to prepare gensec:
NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.983252, 0]
../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
dcesrv_auth_gensec_prepare: Failed to prepare gensec:
NT_STATUS_INVALID_SERVER_STATE All seems to wo
rk but I am wondering what these messages meen. My setup: Collected config ---
2021-11-03-11:55 ----------- Hostname: DC002 DNS Domain: ad.bib.lan FQDN:
DC002.ad.bib.lan ipaddress: 10.97.37.4 ----------- Kerberos SRV
_kerberos._tcp.ad.bib.lan record verified ok, sample output: Server: 10.97.37.4
Address: 10.97.37.4#53 _kerberos._tcp.ad.bib.lan service = 0 100 88
dc002.ad.bib.lan. _kerberos._tcp.ad.bib.lan service = 0 100 88 dc003.ad.bib.lan.
Samba is running as an AD DC ----------- Checking file: /etc/os-release
NAME="Ubuntu" VERSION="20.04.3 LTS (Focal Fossa)" ID=ubuntu
ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.3 LTS"
VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal UBUNTU_CODENAME=focal ----------- This computer is
running Ubuntu 20.04.3 LTS x86_64 ----------- running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet
127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: eth0 at if80:
<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group
default qlen 1000 link/ether 1e:b4:24:c3:c0:61 brd ff:ff:ff:ff:ff:ff
link-netnsid 0 inet 10.97.37.4/24 brd 10.97.37.255 scope global eth0 inet6
fe80::1cb4:24ff:fec3:c061/64 scope link ----------- Checking file: /etc/hosts
127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1
ip6-allnodes ff02::2 ip6-allrouters # --- BEGIN PVE --- 10.97.37.4
DC002.ad.bib.lan DC002 # --- END PVE --- ----------- Checking file:
/etc/resolv.conf # --- BEGIN PVE --- search ad.bib.lan nameserver 10.97.37.4
nameserver 10.97.36.7 # --- END PVE --- ----------- Checking file:
/etc/krb5.conf [libdefaults] default_realm = AD.BIB.LAN dns_lookup_realm = false
dns_lookup_kdc = true [realms] AD.BIB.LAN = { default_domai
n = ad.bib.lan } [domain_realm] DC002 = AD.BIB.LAN ----------- Checking file:
/etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name
Service Switch functionality. # If you have the `glibc-doc-reference' and
`info' packages installed, try: # `info libc "Name Service
Switch"' for information about this file. passwd: files systemd winbind
group: files systemd winbind shadow: files gshadow: files hosts: files
mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files
services: db files ethers: db files rpc: db files netgroup: nis -----------
Checking file: /etc/samba/smb.conf # Global parameters [global] netbios name =
DC002 realm = AD.BIB.LAN server role = active directory domain controller
workgroup = AD idmap_ldb:use rfc2307 = yes dns forwarder = 10.97.37.5 10.97.36.8
winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes
dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab
template shell = /bin/bas
h # Freeradius winbind use default domain = yes winbind max domain connections =
5 winbind max clients = 1000 password server = * ldap server require strong auth
= no ntlm auth = mschapv2-and-ntlmv2-only # log level = 3 # printing printing =
cups load printers = yes rpc_server:spoolss = external rpc_daemon:spoolssd =
fork spoolss: architecture = Windows x64 [sysvol] path = /var/lib/samba/sysvol
read only = no [netlogon] path = /var/lib/samba/sysvol/ad.bib.lan/scripts read
only = no [printers] path = /var/spool/samba/ printable = yes [print$] path =
/srv/samba/printer_drivers/ read only = no ----------- BIND_DLZ not detected in
smb.conf ----------- Installed packages: ii acl 2.2.53-6 amd64 access control
list - utilities ii attr 1:2.4.48-5 amd64 utilities for manipulating filesystem
extended attributes ii krb5-config 2.6ubuntu1 all Configuration files for
Kerberos Version 5 ii krb5-locales 1.17-6ubuntu4.1 all internationalization
support for MIT Kerberos ii krb5-user 1.17-6ubuntu4.1 a
md64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-6
amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-5 amd64
extended attribute handling - shared library ii libgssapi-krb5-2:amd64
1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii
libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1 amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries ii
libkrb5support0:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries -
Support library ii libnss-winbind:amd64 2:4.15.1+dfsg-0.1focal1 amd64 Samba
nameservice integration plugins ii libpam-winbind:amd64 2:4.15.1+dfsg-0.1focal1
amd64 Windows domain authentication integration plugin ii libwbclient0:amd64
2:4.15.1+dfsg-0.1focal1 amd64 Samba winbind client library ii python3-nacl
1.3.0-5 amd64 Python bindings to libsodium (Python 3) ii python3-samba
2:4.15.1+dfsg-0.1focal1 amd64 Python 3 bindings for Samba ii samba 2:4.15.1+
dfsg-0.1focal1 amd64 SMB/CIFS file, print, and login server for Unix ii
samba-common 2:4.15.1+dfsg-0.1focal1 all common files used by both the Samba
server and client ii samba-common-bin 2:4.15.1+dfsg-0.1focal1 amd64 Samba common
files used by both the server and the client ii samba-dsdb-modules:amd64
2:4.15.1+dfsg-0.1focal1 amd64 Samba Directory Services Database ii
samba-libs:amd64 2:4.15.1+dfsg-0.1focal1 amd64 Samba core libraries ii
samba-vfs-modules:amd64 2:4.15.1+dfsg-0.1focal1 amd64 Samba Virtual FileSystem
plugins ii winbind 2:4.15.1+dfsg-0.1focal1 amd64 service to resolve user and
group information from Windows NT servers -----------
Rowland Penny
2021-Nov-03 12:01 UTC
[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
On Wed, 2021-11-03 at 12:01 +0100, Marcel de Reuver via samba wrote:> My logging is flooded with these notifications: [2021/11/03 > 11:53:51.573128, 0] > ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare) > dcesrv_auth_gensec_prepare: Failed to prepare gensec: > NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.683035, 0] > ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare) > dcesrv_auth_gensec_prepare: Failed to prepare gensec: > NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.710025, 0] > ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare) > dcesrv_auth_gensec_prepare: Failed to prepare gensec: > NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.842878, 0] > ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare) > dcesrv_auth_gensec_prepare: Failed to prepare gensec: > NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.983252, 0] > ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare) > dcesrv_auth_gensec_prepare: Failed to prepare gensec: > NT_STATUS_INVALID_SERVER_STATE All seems to wo > > rk but I am wondering what these messages meen. My setup: Collected > config --- 2021-11-03-11:55 ----------- Hostname: DC002 DNS Domain: > ad.bib.lan FQDN: DC002.ad.bib.lan ipaddress: 10.97.37.4 ----------- > Kerberos SRV _kerberos._tcp.ad.bib.lan record verified ok, sample > output: Server: 10.97.37.4 Address: 10.97.37.4#53 > _kerberos._tcp.ad.bib.lan service = 0 100 88 dc002.ad.bib.lan. > _kerberos._tcp.ad.bib.lan service = 0 100 88 dc003.ad.bib.lan. Samba > is running as an AD DC ----------- Checking file: /etc/os-release > NAME="Ubuntu" VERSION="20.04.3 LTS (Focal Fossa)" ID=ubuntu > ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.3 LTS" VERSION_ID="20.04" > HOME_URL="https://www.ubuntu.com/" SUPPORT_URL=" > https://help.ubuntu.com/" BUG_REPORT_URL=" > https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL=" > https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" > VERSION_CODENAME=focal UBUNTU_CODENAME=focal ----------- This > computer is running Ubuntu 20.04.3 LTS x86_64 ----------- running > command : ip a > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 link/loopback 00:00:00:00:00:00 brd > 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope > host 2: eth0 at if80: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > noqueue state UP group default qlen 1000 link/ether 1e:b4:24:c3:c0:61 > brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 10.97.37.4/24 brd > 10.97.37.255 scope global eth0 inet6 fe80::1cb4:24ff:fec3:c061/64 > scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost > ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 > ip6-allrouters # --- BEGIN PVE --- 10.97.37.4 DC002.ad.bib.lan DC002 > # --- END PVE --- ----------- Checking file: /etc/resolv.conf # --- > BEGIN PVE --- search ad.bib.lan nameserver 10.97.37.4 nameserver > 10.97.36.7 # --- END PVE --- ----------- Checking file: > /etc/krb5.conf [libdefaults] default_realm = AD.BIB.LAN > dns_lookup_realm = false dns_lookup_kdc = true [realms] AD.BIB.LAN > { default_domai > > n = ad.bib.lan } [domain_realm] DC002 = AD.BIB.LAN ----------- > Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example > configuration of GNU Name Service Switch functionality. # If you have > the `glibc-doc-reference' and `info' packages installed, try: # `info > libc "Name Service Switch"' for information about this file. passwd: > files systemd winbind group: files systemd winbind shadow: files > gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns > networks: files protocols: db files services: db files ethers: db > files rpc: db files netgroup: nis ----------- Checking file: > /etc/samba/smb.conf # Global parameters [global] netbios name = DC002 > realm = AD.BIB.LAN server role = active directory domain controller > workgroup = AD idmap_ldb:use rfc2307 = yes dns forwarder = 10.97.37.5 > 10.97.36.8 winbind enum users = yes winbind enum groups = yes winbind > refresh tickets = yes dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab template shell = /bin/bas > > h # Freeradius winbind use default domain = yes winbind max domain > connections = 5 winbind max clients = 1000 password server = * ldap > server require strong auth = no ntlm auth = mschapv2-and-ntlmv2-only > # log level = 3 # printing printing = cups load printers = yes > rpc_server:spoolss = external rpc_daemon:spoolssd = fork spoolss: > architecture = Windows x64 [sysvol] path = /var/lib/samba/sysvol read > only = no [netlogon] path = /var/lib/samba/sysvol/ad.bib.lan/scripts > read only = no [printers] path = /var/spool/samba/ printable = yes > [print$] path = /srv/samba/printer_drivers/ read only = no ---------- > - BIND_DLZ not detected in smb.conf ----------- Installed packages: > ii acl 2.2.53-6 amd64 access control list - utilities ii attr > 1:2.4.48-5 amd64 utilities for manipulating filesystem extended > attributes ii krb5-config 2.6ubuntu1 all Configuration files for > Kerberos Version 5 ii krb5-locales 1.17-6ubuntu4.1 all > internationalization support for MIT Kerberos ii krb5-user 1.17- > 6ubuntu4.1 a > > md64 basic programs to authenticate using MIT Kerberos ii > libacl1:amd64 2.2.53-6 amd64 access control list - shared library ii > libattr1:amd64 1:2.4.48-5 amd64 extended attribute handling - shared > library ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos > runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26- > heimdal:amd64 7.7.0+dfsg-1ubuntu1 amd64 Heimdal Kerberos - libraries > ii libkrb5-3:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime > libraries ii libkrb5support0:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos > runtime libraries - Support library ii libnss-winbind:amd64 > 2:4.15.1+dfsg-0.1focal1 amd64 Samba nameservice integration plugins > ii libpam-winbind:amd64 2:4.15.1+dfsg-0.1focal1 amd64 Windows domain > authentication integration plugin ii libwbclient0:amd64 > 2:4.15.1+dfsg-0.1focal1 amd64 Samba winbind client library ii > python3-nacl 1.3.0-5 amd64 Python bindings to libsodium (Python 3) ii > python3-samba 2:4.15.1+dfsg-0.1focal1 amd64 Python 3 bindings for > Samba ii samba 2:4.15.1+ > > dfsg-0.1focal1 amd64 SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.15.1+dfsg-0.1focal1 all common files used by both > the Samba server and client ii samba-common-bin 2:4.15.1+dfsg- > 0.1focal1 amd64 Samba common files used by both the server and the > client ii samba-dsdb-modules:amd64 2:4.15.1+dfsg-0.1focal1 amd64 > Samba Directory Services Database ii samba-libs:amd64 2:4.15.1+dfsg- > 0.1focal1 amd64 Samba core libraries ii samba-vfs-modules:amd64 > 2:4.15.1+dfsg-0.1focal1 amd64 Samba Virtual FileSystem plugins ii > winbind 2:4.15.1+dfsg-0.1focal1 amd64 service to resolve user and > group information from Windows NT servers ----------- > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaDo you think you can find a better mail client and try again, I cannot read the above. Rowland
L.P.H. van Belle
2021-Nov-03 12:27 UTC
[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
I'm also having a bit hard time to read it, but i did notice at least these.
Question for me also is, is this an AD-DC or Member server.
Looks like its AD-DC.
/etc/krb5.conf ( this is, in a normal setup )
[libdefaults]
default_realm = AD.BIB.LAN
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# Sufficient. ( thats the default krb5.conf at install, if REALM is supplied.
/etc/nsswitch.conf
passwd:> > files systemd winbind group: files systemd winbind shadow: files
> > gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns
> > networks: files protocols: db files services: db files ethers: db
In the hosts line
Change this line : hosts: files mdns4_minimal [NOTFOUND=return] dns
To
hosts: files dns mdns4_minimal [NOTFOUND=return]
/etc/samba/smb.conf
refresh tickets = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
These should not be set for an AD-DC, (as far i know).
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: woensdag 3 november 2021 13:01
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to prepare gensec:
> NT_STATUS_INVALID_SERVER_STATE
>
> On Wed, 2021-11-03 at 12:01 +0100, Marcel de Reuver via samba wrote:
> > My logging is flooded with these notifications: [2021/11/03
> > 11:53:51.573128, 0]
> >
> ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
> > dcesrv_auth_gensec_prepare: Failed to prepare gensec:
> > NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.683035, 0]
> >
> ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
> > dcesrv_auth_gensec_prepare: Failed to prepare gensec:
> > NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.710025, 0]
> >
> ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
> > dcesrv_auth_gensec_prepare: Failed to prepare gensec:
> > NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.842878, 0]
> >
> ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
> > dcesrv_auth_gensec_prepare: Failed to prepare gensec:
> > NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.983252, 0]
> >
> ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
> > dcesrv_auth_gensec_prepare: Failed to prepare gensec:
> > NT_STATUS_INVALID_SERVER_STATE All seems to wo
> >
> > rk but I am wondering what these messages meen. My setup: Collected
> > config --- 2021-11-03-11:55 ----------- Hostname: DC002 DNS Domain:
> > ad.bib.lan FQDN: DC002.ad.bib.lan ipaddress: 10.97.37.4 -----------
> > Kerberos SRV _kerberos._tcp.ad.bib.lan record verified ok, sample
> > output: Server: 10.97.37.4 Address: 10.97.37.4#53
> > _kerberos._tcp.ad.bib.lan service = 0 100 88 dc002.ad.bib.lan.
> > _kerberos._tcp.ad.bib.lan service = 0 100 88 dc003.ad.bib.lan. Samba
> > is running as an AD DC ----------- Checking file: /etc/os-release
> > NAME="Ubuntu" VERSION="20.04.3 LTS (Focal Fossa)"
ID=ubuntu
> > ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.3 LTS"
VERSION_ID="20.04"
> > HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="
> > https://help.ubuntu.com/" BUG_REPORT_URL="
> > https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="
> > https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
> > VERSION_CODENAME=focal UBUNTU_CODENAME=focal ----------- This
> > computer is running Ubuntu 20.04.3 LTS x86_64 ----------- running
> > command : ip a
> >
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
UNKNOWN
> > group default qlen 1000 link/loopback 00:00:00:00:00:00 brd
> > 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope
> > host 2: eth0 at if80: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
qdisc
> > noqueue state UP group default qlen 1000 link/ether
> 1e:b4:24:c3:c0:61
> > brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 10.97.37.4/24 brd
> > 10.97.37.255 scope global eth0 inet6 fe80::1cb4:24ff:fec3:c061/64
> > scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost
> > ::1 localhost ip6-localhost ip6-loopback ff02::1
> ip6-allnodes ff02::2
> > ip6-allrouters # --- BEGIN PVE --- 10.97.37.4 DC002.ad.bib.lan DC002
> > # --- END PVE --- ----------- Checking file: /etc/resolv.conf # ---
> > BEGIN PVE --- search ad.bib.lan nameserver 10.97.37.4 nameserver
> > 10.97.36.7 # --- END PVE --- ----------- Checking file:
> > /etc/krb5.conf [libdefaults] default_realm = AD.BIB.LAN
> > dns_lookup_realm = false dns_lookup_kdc = true [realms] AD.BIB.LAN
> > { default_domai
> >
> > n = ad.bib.lan } [domain_realm] DC002 = AD.BIB.LAN -----------
> > Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example
> > configuration of GNU Name Service Switch functionality. #
> If you have
> > the `glibc-doc-reference' and `info' packages installed,
> try: # `info
> > libc "Name Service Switch"' for information about this
file. passwd:
> > files systemd winbind group: files systemd winbind shadow: files
> > gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns
> > networks: files protocols: db files services: db files ethers: db
> > files rpc: db files netgroup: nis ----------- Checking file:
> > /etc/samba/smb.conf # Global parameters [global] netbios
> name = DC002
> > realm = AD.BIB.LAN server role = active directory domain controller
> > workgroup = AD idmap_ldb:use rfc2307 = yes dns forwarder =
> 10.97.37.5
> > 10.97.36.8 winbind enum users = yes winbind enum groups =
> yes winbind
> > refresh tickets = yes dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab template shell = /bin/bas
> >
> > h # Freeradius winbind use default domain = yes winbind max domain
> > connections = 5 winbind max clients = 1000 password server = * ldap
> > server require strong auth = no ntlm auth = mschapv2-and-ntlmv2-only
> > # log level = 3 # printing printing = cups load printers = yes
> > rpc_server:spoolss = external rpc_daemon:spoolssd = fork spoolss:
> > architecture = Windows x64 [sysvol] path =
> /var/lib/samba/sysvol read
> > only = no [netlogon] path = /var/lib/samba/sysvol/ad.bib.lan/scripts
> > read only = no [printers] path = /var/spool/samba/ printable = yes
> > [print$] path = /srv/samba/printer_drivers/ read only = no
> ----------
> > - BIND_DLZ not detected in smb.conf ----------- Installed packages:
> > ii acl 2.2.53-6 amd64 access control list - utilities ii attr
> > 1:2.4.48-5 amd64 utilities for manipulating filesystem extended
> > attributes ii krb5-config 2.6ubuntu1 all Configuration files for
> > Kerberos Version 5 ii krb5-locales 1.17-6ubuntu4.1 all
> > internationalization support for MIT Kerberos ii krb5-user 1.17-
> > 6ubuntu4.1 a
> >
> > md64 basic programs to authenticate using MIT Kerberos ii
> > libacl1:amd64 2.2.53-6 amd64 access control list - shared library ii
> > libattr1:amd64 1:2.4.48-5 amd64 extended attribute handling - shared
> > library ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos
> > runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-
> > heimdal:amd64 7.7.0+dfsg-1ubuntu1 amd64 Heimdal Kerberos - libraries
> > ii libkrb5-3:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime
> > libraries ii libkrb5support0:amd64 1.17-6ubuntu4.1 amd64
> MIT Kerberos
> > runtime libraries - Support library ii libnss-winbind:amd64
> > 2:4.15.1+dfsg-0.1focal1 amd64 Samba nameservice integration plugins
> > ii libpam-winbind:amd64 2:4.15.1+dfsg-0.1focal1 amd64 Windows domain
> > authentication integration plugin ii libwbclient0:amd64
> > 2:4.15.1+dfsg-0.1focal1 amd64 Samba winbind client library ii
> > python3-nacl 1.3.0-5 amd64 Python bindings to libsodium
> (Python 3) ii
> > python3-samba 2:4.15.1+dfsg-0.1focal1 amd64 Python 3 bindings for
> > Samba ii samba 2:4.15.1+
> >
> > dfsg-0.1focal1 amd64 SMB/CIFS file, print, and login server for Unix
> > ii samba-common 2:4.15.1+dfsg-0.1focal1 all common files
> used by both
> > the Samba server and client ii samba-common-bin 2:4.15.1+dfsg-
> > 0.1focal1 amd64 Samba common files used by both the server and the
> > client ii samba-dsdb-modules:amd64 2:4.15.1+dfsg-0.1focal1 amd64
> > Samba Directory Services Database ii samba-libs:amd64 2:4.15.1+dfsg-
> > 0.1focal1 amd64 Samba core libraries ii samba-vfs-modules:amd64
> > 2:4.15.1+dfsg-0.1focal1 amd64 Samba Virtual FileSystem plugins ii
> > winbind 2:4.15.1+dfsg-0.1focal1 amd64 service to resolve user and
> > group information from Windows NT servers -----------
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
> Do you think you can find a better mail client and try again, I cannot
> read the above.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Marcel de Reuver
2021-Nov-03 12:57 UTC
[Samba] Fwd: Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
I will try again with a different email client, plain text only and keep
my fingers crossed.....
My logging is flooded with these notifications:
[2021/11/03 11:53:51.573128, 0]
../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
? dcesrv_auth_gensec_prepare: Failed to prepare gensec:
NT_STATUS_INVALID_SERVER_STATE
[2021/11/03 11:53:51.683035, 0]
../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
? dcesrv_auth_gensec_prepare: Failed to prepare gensec:
NT_STATUS_INVALID_SERVER_STATE
[2021/11/03 11:53:51.710025, 0]
../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
? dcesrv_auth_gensec_prepare: Failed to prepare gensec:
NT_STATUS_INVALID_SERVER_STATE
[2021/11/03 11:53:51.842878, 0]
../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
? dcesrv_auth_gensec_prepare: Failed to prepare gensec:
NT_STATUS_INVALID_SERVER_STATE
[2021/11/03 11:53:51.983252, 0]
../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
? dcesrv_auth_gensec_prepare: Failed to prepare gensec:
NT_STATUS_INVALID_SERVER_STATE
All seems to work but I am wondering what these messages meen.
My setup:
Collected config --- 2021-11-03-11:55 -----------
Hostname: DC002
DNS Domain: ad.bib.lan
FQDN: DC002.ad.bib.lan
ipaddress: 10.97.37.4
-----------
Kerberos SRV _kerberos._tcp.ad.bib.lan record verified ok, sample output:
Server: 10.97.37.4
Address: 10.97.37.4#53
_kerberos._tcp.ad.bib.lan service = 0 100 88 dc002.ad.bib.lan.
_kerberos._tcp.ad.bib.lan service = 0 100 88 dc003.ad.bib.lan.
Samba is running as an AD DC
-----------
?????? Checking file: /etc/os-release
NAME="Ubuntu"
VERSION="20.04.3 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.3 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
-----------
This computer is running Ubuntu 20.04.3 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
??? inet 127.0.0.1/8 scope host lo
??? inet6 ::1/128 scope host
2: eth0 at if80: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP group default qlen 1000
??? link/ether 1e:b4:24:c3:c0:61 brd ff:ff:ff:ff:ff:ff link-netnsid 0
??? inet 10.97.37.4/24 brd 10.97.37.255 scope global eth0
??? inet6 fe80::1cb4:24ff:fec3:c061/64 scope link
-----------
?????? Checking file: /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# --- BEGIN PVE ---
10.97.37.4 DC002.ad.bib.lan DC002
# --- END PVE ---
-----------
?????? Checking file: /etc/resolv.conf
# --- BEGIN PVE ---
search ad.bib.lan
nameserver 10.97.37.4
nameserver 10.97.36.7
# --- END PVE ---
-----------
?????? Checking file: /etc/krb5.conf
[libdefaults]
?default_realm = AD.BIB.LAN
?dns_lookup_realm = false
?dns_lookup_kdc = true
[realms]
AD.BIB.LAN = {
?default_domain = ad.bib.lan
}
[domain_realm]
?DC002 = AD.BIB.LAN
-----------
?????? Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: files systemd winbind
group: files systemd winbind
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
?????? Checking file: /etc/samba/smb.conf
# Global parameters
[global]
??? netbios name = DC002
??? realm = AD.BIB.LAN
??? server role = active directory domain controller
??? workgroup = AD
??? idmap_ldb:use rfc2307 = yes
??? dns forwarder = 10.97.37.5 10.97.36.8
??? winbind enum users = yes
??? winbind enum groups = yes
??? winbind refresh tickets = yes
??? dedicated keytab file = /etc/krb5.keytab
??? kerberos method = secrets and keytab
??? template shell = /bin/bash
??? # Freeradius
??? winbind use default domain = yes
??? winbind max domain connections = 5
??? winbind max clients = 1000
??? password server = *
??? ldap server require strong auth = no
??? ntlm auth = mschapv2-and-ntlmv2-only
# log level = 3
??? # printing
??? printing = cups
??? load printers = yes
??? rpc_server:spoolss = external
??? rpc_daemon:spoolssd = fork
??? spoolss: architecture = Windows x64
[sysvol]
??? path = /var/lib/samba/sysvol
??? read only = no
[netlogon]
??? path = /var/lib/samba/sysvol/ad.bib.lan/scripts
??? read only = no
[printers]
??? path = /var/spool/samba/
??? printable = yes
[print$]
??? path = /srv/samba/printer_drivers/
??? read only = no
-----------
BIND_DLZ not detected in smb.conf
-----------
Installed packages:
ii acl 2.2.53-6 amd64 access control list - utilities
ii attr 1:2.4.48-5 amd64 utilities for manipulating filesystem extended
attributes
ii krb5-config 2.6ubuntu1 all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-6ubuntu4.1 all internationalization support for MIT
Kerberos
ii krb5-user 1.17-6ubuntu4.1 amd64 basic programs to authenticate using
MIT Kerberos
ii libacl1:amd64 2.2.53-6 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-5 amd64 extended attribute handling - shared
library
ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime
libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1 amd64 Heimdal Kerberos -
libraries
ii libkrb5-3:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime
libraries - Support library
ii libnss-winbind:amd64 2:4.15.1+dfsg-0.1focal1 amd64 Samba nameservice
integration plugins
ii libpam-winbind:amd64 2:4.15.1+dfsg-0.1focal1 amd64 Windows domain
authentication integration plugin
ii libwbclient0:amd64 2:4.15.1+dfsg-0.1focal1 amd64 Samba winbind client
library
ii python3-nacl 1.3.0-5 amd64 Python bindings to libsodium (Python 3)
ii python3-samba 2:4.15.1+dfsg-0.1focal1 amd64 Python 3 bindings for Samba
ii samba 2:4.15.1+dfsg-0.1focal1 amd64 SMB/CIFS file, print, and login
server for Unix
ii samba-common 2:4.15.1+dfsg-0.1focal1 all common files used by both
the Samba server and client
ii samba-common-bin 2:4.15.1+dfsg-0.1focal1 amd64 Samba common files
used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.15.1+dfsg-0.1focal1 amd64 Samba
Directory Services Database
ii samba-libs:amd64 2:4.15.1+dfsg-0.1focal1 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.15.1+dfsg-0.1focal1 amd64 Samba Virtual
FileSystem plugins
ii winbind 2:4.15.1+dfsg-0.1focal1 amd64 service to resolve user and
group information from Windows NT servers
-----------
L.P.H. van Belle
2021-Nov-03 15:27 UTC
[Samba] Fwd: Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marcel de Reuver via samba > Verzonden: woensdag 3 november 2021 13:58 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Fwd: Failed to prepare gensec: > NT_STATUS_INVALID_SERVER_STATE >.......> My setup: > Collected config --- 2021-11-03-11:55 ----------- > > Hostname: DC002 > DNS Domain: ad.bib.lan > FQDN: DC002.ad.bib.lan > ipaddress: 10.97.37.4 > > -----------https://tools.ietf.org/id/draft-chapin-rfc2606bis-00.html the list of names that may not be used for top-level domains the following labels: .local .localdomain .domain .lan .home .host .corp Now, note that .lan is in there.. But.. Its not that a big problem.. If you config nsswitch.conf correctly (better) or if you enable publish-resolv-conf-dns-servers in avahi-daemon.conf. the file /etc/resolv.conf will be read, too. What i removed from the debug output, like Rowland also said, all good.> ----------- > > ?????? Checking file: /etc/krb5.conf > > [libdefaults] > ?default_realm = AD.BIB.LAN > ?dns_lookup_realm = false > ?dns_lookup_kdc = true > > [realms] > AD.BIB.LAN = { > ?default_domain = ad.bib.lan > } > > [domain_realm] > ?DC002 = AD.BIB.LANAll you need here is : [libdefaults] default_realm = AD.BIB.LAN # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true The rest are default settings.> > ----------- > > ?????? Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files systemd winbind > group: files systemd winbind > shadow: files > gshadow: files > > hosts: files mdns4_minimal [NOTFOUND=return] dnsOR enable publish-resolv-conf-dns-servers in avahi-daemon.conf And keep as is, or dont and change to this. (moved dns more to front) hosts: files dns mdns4_minimal [NOTFOUND=return]> networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > ?????? Checking file: /etc/samba/smb.conf > > # Global parameters...> ??? winbind enum users = yes > ??? winbind enum groups = yesYou should set these to "no" Use getent passwd username to see of its all ok. Greetz, Louis
Jerome Borsboom
2021-Nov-04 13:00 UTC
[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
On Wed, 2021-11-03 at 12:01 +0100, Marcel de Reuver via samba wrote:> My logging is flooded with these notifications: [2021/11/03 > 11:53:51.573128, 0] > ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare) > dcesrv_auth_gensec_prepare: Failed to prepare gensec: > NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.683035, 0] > ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare) > dcesrv_auth_gensec_prepare: Failed to prepare gensec: > NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.710025, 0] > ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare) > dcesrv_auth_gensec_prepare: Failed to prepare gensec: > NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.842878, 0] > ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare) > dcesrv_auth_gensec_prepare: Failed to prepare gensec: > NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.983252, 0] > ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare) > dcesrv_auth_gensec_prepare: Failed to prepare gensec: > NT_STATUS_INVALID_SERVER_STATE All seems to woWhat are your clients to this DC? Windows 7 with latest rollup? If so, this might be the same as bug #14867. Regards, Jerome Borsboom
Flole
2021-Nov-22 18:46 UTC
[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
I'm seeing the same issue since updating to 4.13 on my Ubuntu system and I have done additional debugging and reported an issue for the Ubuntu package at https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1951490. To sum it up here aswell: Enabling debug logs show that this is caused by the ownership of a directory which samba complains is not matching: [2021/11/19 01:48:37.482365, 4, effective(30000XX, 100), real(30000XX, 0)] ../../source3/rpc_server/rpc_ncacn_np.c:110(make_internal_rpc_pipe_socketpair) ? Create of internal pipe \pipe\spoolss requested [2021/11/19 01:48:37.485785, 3, effective(30000XX, 100), real(30000XX, 0)] ../../lib/util/util.c:483(directory_create_or_exist_strict) ? directory_create_or_exist_strict: invalid ownership on directory /var/lib/samba/private/msg.sock [2021/11/19 01:48:37.485807, 1, effective(30000XX, 100), real(30000XX, 0)] ../../source3/auth/auth_samba4.c:248(prepare_gensec) ? imessaging_init failed The issue is caused by /var/lib/samba/private/msg.sock being owned by root:root in my case (and it gets created with those permissions aswell if I delete it), but https://github.com/samba-team/samba/blob/db11778b57610e24324aa4342f89918f66157d71/source4/lib/messaging/messaging.c#L507 uses geteuid() which is sometimes the user ID of the connecting user (as can be seen above, XX is the number that represents the uid of the windows user connecting). I am not sure if this is related to my "unable to print"-issue but this happens whenever I try to print and whenever the print queue is refreshed by a client.