[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

Stefan Bellon bellon at axivion.com
Thu Apr 1 06:21:54 UTC 2021

On Wed, 31 Mar, Rowland penny via samba wrote:

> At one time, running sysvolreset could wreck the permissions, this 
> appears to have been because winbind couldn't map all the required 
> SID's. This has been fixed, so you can now depend on 
> sysvolreset/sysvolcheck, provided you never give Domain Admins a 
> gidNumber attribute.

Ah, wow, just a moment ... my Domain Admins do have an gidNumber
attribute because they also map to a special admin group on the
GNU/Linux side.

What's the problem with that? Where can I read further about this "never
give Domain Admins a gidNumber attribute" thing?

> If, as you say, adding a GPO causes that message to appear in the
> logs, then it looks like a bug, but there is a gotcha, your log
> message refers to line 1086, the latest rpc_server.c code only has
> 717 lines, so it might be an idea to upgrade Samba if possible, the
> 'possible bug' may have been fixed.

Well, Debian stable has Samba 4.9.5, so I even went with Debian testing
in order to get at least Samba 4.13.5 when setting up the two new DCs.

It looks like I have to read into how to build Samba from source then...


Stefan Bellon

More information about the samba mailing list