[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

Wed Mar 31 07:06:25 UTC 2021

On Tue, 30 Mar, Stefan Bellon via samba wrote:

> [2021/03/30 11:19:46.883518,
> 0] ../../source3/rpc_server/rpc_server.c:1086(dcesrv_auth_gensec_prepare)
> dcesrv_auth_gensec_prepare: Failed to prepare gensec:
> NT_STATUS_INVALID_SERVER_STATE

I have the feeling this is directly connected to sysvol permissions.

I observed that when I edit stuff in GPMC and get those messages in the
log, then afterwards a sysvolcheck will fail and the messages keep
coming even on successful domain user login.

If I resetsysvol and do not touch GPMC afterwards, then the log
messages do not appear (till the next action that most likely messes
with the sysvol permissions).

As the sysvol is the part that was not set up afresh on the new DCs but
copied over from the old Samba, I wonder whether this is broken:

root at dc1:~# cd /var/lib/samba/
root at dc1:~# ls -ald sysvol/
drwxrwx---+ 3 root 3000000 4096 Mar 30 23:22 sysvol/

root at dc1:~# ls -ald
sysvol/xxx/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
drwxrwx---+ 4 3000008 3000008 4096 Mar 30 13:03
sysvol/xxx/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/

root at dc1:~# getfacl sysvol/
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

root at dc1:~#
getfacl sysvol/xxx/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
# file: sysvol/xxx/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
# owner: 3000008 # group: 3000008
user::rwx
user:3000002:rwx
user:3000003:r-x
user:3000006:rwx
user:3000010:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000008:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000008:rwx
default:user:3000010:r-x
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000006:rwx
default:group:3000008:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---

First of all, I'm unsure of whether it's correct that the UNIX uid/gid
(root:3000000 and 3000008:3000008) are set on the folders or whether
they should just belong to root:root?

And secondly, I'm wondering whether the acl premissions are correct
either. The UIDs resolve as follows:

root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000000)
BUILTIN\Administrators 4

root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000001)
BUILTIN\Server Operators 4

root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000002)
NT AUTHORITY\SYSTEM 5

root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000003)
NT AUTHORITY\Authenticated Users 5

root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000004)
DS\Group Policy Creator Owners 2

root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000006)
DS\Enterprise Admins 2

root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000008)
DS\Domain Admins 2

root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000010)
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS 5

Any help would be very welcomed.

Greetings,
Stefan

-- 
Stefan Bellon