L.P.H. van Belle
2021-Nov-03 15:27 UTC
[Samba] Fwd: Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marcel de Reuver via samba > Verzonden: woensdag 3 november 2021 13:58 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Fwd: Failed to prepare gensec: > NT_STATUS_INVALID_SERVER_STATE >.......> My setup: > Collected config --- 2021-11-03-11:55 ----------- > > Hostname: DC002 > DNS Domain: ad.bib.lan > FQDN: DC002.ad.bib.lan > ipaddress: 10.97.37.4 > > -----------https://tools.ietf.org/id/draft-chapin-rfc2606bis-00.html the list of names that may not be used for top-level domains the following labels: .local .localdomain .domain .lan .home .host .corp Now, note that .lan is in there.. But.. Its not that a big problem.. If you config nsswitch.conf correctly (better) or if you enable publish-resolv-conf-dns-servers in avahi-daemon.conf. the file /etc/resolv.conf will be read, too. What i removed from the debug output, like Rowland also said, all good.> ----------- > > ?????? Checking file: /etc/krb5.conf > > [libdefaults] > ?default_realm = AD.BIB.LAN > ?dns_lookup_realm = false > ?dns_lookup_kdc = true > > [realms] > AD.BIB.LAN = { > ?default_domain = ad.bib.lan > } > > [domain_realm] > ?DC002 = AD.BIB.LANAll you need here is : [libdefaults] default_realm = AD.BIB.LAN # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true The rest are default settings.> > ----------- > > ?????? Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files systemd winbind > group: files systemd winbind > shadow: files > gshadow: files > > hosts: files mdns4_minimal [NOTFOUND=return] dnsOR enable publish-resolv-conf-dns-servers in avahi-daemon.conf And keep as is, or dont and change to this. (moved dns more to front) hosts: files dns mdns4_minimal [NOTFOUND=return]> networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > ?????? Checking file: /etc/samba/smb.conf > > # Global parameters...> ??? winbind enum users = yes > ??? winbind enum groups = yesYou should set these to "no" Use getent passwd username to see of its all ok. Greetz, Louis
Marcel de Reuver
2021-Nov-04 12:34 UTC
[Samba] Fwd: Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
>> My setup: >> Collected config --- 2021-11-03-11:55 ----------- >> >> Hostname: DC002 >> DNS Domain: ad.bib.lan >> FQDN: DC002.ad.bib.lan >> ipaddress: 10.97.37.4 >> >> ----------- > https://tools.ietf.org/id/draft-chapin-rfc2606bis-00.html > > the list of names that may not be used for top-level domains the following labels: > > .local > .localdomain > .domain > .lan > .home > .host > .corp > > Now, note that .lan is in there.. But.. Its not that a big problem.. > > If you config nsswitch.conf correctly (better) or if you enable > publish-resolv-conf-dns-servers in avahi-daemon.conf. > the file /etc/resolv.conf will be read, too.Unfortunately a discussion about the correct top level domain will not resolve the log messages.> > What i removed from the debug output, like Rowland also said, all good. > >> ----------- >> >> ?????? Checking file: /etc/krb5.conf >> >> [libdefaults] >> ?default_realm = AD.BIB.LAN >> ?dns_lookup_realm = false >> ?dns_lookup_kdc = true >> >> [realms] >> AD.BIB.LAN = { >> ?default_domain = ad.bib.lan >> } >> >> [domain_realm] >> ?DC002 = AD.BIB.LAN > > All you need here is : > [libdefaults] > default_realm = AD.BIB.LAN > > # The following krb5.conf variables are only for MIT Kerberos. > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > The rest are default settings. >My /etc/krb5.conf is a copy of the one in /var/lib/samba/private/>> ----------- >> >> ?????? Checking file: /etc/nsswitch.conf >> >> # /etc/nsswitch.conf >> # >> # Example configuration of GNU Name Service Switch functionality. >> # If you have the `glibc-doc-reference' and `info' packages >> installed, try: >> # `info libc "Name Service Switch"' for information about this file. >> >> passwd: files systemd winbind >> group: files systemd winbind >> shadow: files >> gshadow: files >> >> hosts: files mdns4_minimal [NOTFOUND=return] dns > OR enable publish-resolv-conf-dns-servers in avahi-daemon.conf > And keep as is, or dont and change to this. (moved dns more to front) > hosts: files dns mdns4_minimal [NOTFOUND=return] > > >> networks: files >> >> protocols: db files >> services: db files >> ethers: db files >> rpc: db files >> >> netgroup: nis >> >> ----------- >> >> ?????? Checking file: /etc/samba/smb.conf >> >> # Global parameters > ... > >> ??? winbind enum users = yes >> ??? winbind enum groups = yes > You should set these to "no" > Use getent passwd username to see of its all ok. >I've made the suggested changes and the log messages continue.
L.P.H. van Belle
2021-Nov-04 13:22 UTC
[Samba] Fwd: Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marcel de Reuver via samba > Verzonden: donderdag 4 november 2021 13:35 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Fwd: Failed to prepare gensec: > NT_STATUS_INVALID_SERVER_STATE > > >> My setup: > >> Collected config --- 2021-11-03-11:55 ----------- > >> > >> Hostname: DC002 > >> DNS Domain: ad.bib.lan > >> FQDN: DC002.ad.bib.lan > >> ipaddress: 10.97.37.4 > >> > >> ----------- > > https://tools.ietf.org/id/draft-chapin-rfc2606bis-00.html > > > > the list of names that may not be used for top-level > domains the following labels: > > > > .local > > .localdomain > > .domain > > .lan > > .home > > .host > > .corp > > > > Now, note that .lan is in there.. But.. Its not that a big problem.. > > > > If you config nsswitch.conf correctly (better) or if you enable > > publish-resolv-conf-dns-servers in avahi-daemon.conf. > > the file /etc/resolv.conf will be read, too. > > > Unfortunately a discussion about the correct top level domain > will not resolve the log messages.Im not discussing it, im just pointing to "configure it correctly"> > > > > > What i removed from the debug output, like Rowland also > said, all good. > > > >> ----------- > >> > >> ?????? Checking file: /etc/krb5.conf > >> > >> [libdefaults] > >> ?default_realm = AD.BIB.LAN > >> ?dns_lookup_realm = false > >> ?dns_lookup_kdc = true > >> > >> [realms] > >> AD.BIB.LAN = { > >> ?default_domain = ad.bib.lan > >> } > >> > >> [domain_realm] > >> ?DC002 = AD.BIB.LAN > > > > All you need here is : > > [libdefaults] > > default_realm = AD.BIB.LAN > > > > # The following krb5.conf variables are only for MIT Kerberos. > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > > > > The rest are default settings. > > > > My /etc/krb5.conf is a copy of the one in /var/lib/samba/private/On debian, in all cases, if you enter the realm correctly. That what's produced at install is fine to run a "normal" samba-ad network.> > > >> ----------- > >> > >> ?????? Checking file: /etc/nsswitch.conf > >> > >> # /etc/nsswitch.conf > >> # > >> # Example configuration of GNU Name Service Switch functionality. > >> # If you have the `glibc-doc-reference' and `info' packages > >> installed, try: > >> # `info libc "Name Service Switch"' for information about > this file. > >> > >> passwd: files systemd winbind > >> group: files systemd winbind > >> shadow: files > >> gshadow: files > >> > >> hosts: files mdns4_minimal [NOTFOUND=return] dns > > OR enable publish-resolv-conf-dns-servers in avahi-daemon.conf > > And keep as is, or dont and change to this. (moved dns more > to front) > > hosts: files dns mdns4_minimal [NOTFOUND=return] > > > > > >> networks: files > >> > >> protocols: db files > >> services: db files > >> ethers: db files > >> rpc: db files > >> > >> netgroup: nis > >> > >> ----------- > >> > >> ?????? Checking file: /etc/samba/smb.conf > >> > >> # Global parameters > > ... > > > >> ??? winbind enum users = yes > >> ??? winbind enum groups = yes > > You should set these to "no" > > Use getent passwd username to see of its all ok. > > > > I've made the suggested changes and the log messages continue.I found in some older list messages a reply of Andrew.> Andrew Bartlett via samba > Verzonden: woensdag 31 maart 2021 9:17 > Aan: Stefan Bellon; Stefan Bellon via samba > Onderwerp: Re: [Samba] Failed to prepare gensec: > NT_STATUS_INVALID_SERVER_STATE> This is about failing to setup the > Kerberos code that accepts incoming tickets, so it could fail if the DC > things it is not a DC or can't find the secrets.ldb entry etc.If this is the first AD-DC. Stop samba-ad-dc Whipe the samba data, rename the smb.conf and re-provision. Leave everything else as it. Clean /var/cache/samba/ and /var/lib/samba and there subfolders Dont remove the subfolders, if you do, recreate these. The other option, remove (de-install) samba winbind Clean /var/cache/samba/ and /var/lib/samba and there subfolders Reinstall and reprovision. Greetz, Louis