[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

[Rowland penny]

On 01/04/2021 07:21, Stefan Bellon wrote:
> On Wed, 31 Mar, Rowland penny via samba wrote:
>
>> At one time, running sysvolreset could wreck the permissions, this
>> appears to have been because winbind couldn't map all the required
>> SID's. This has been fixed, so you can now depend on
>> sysvolreset/sysvolcheck, provided you never give Domain Admins a
>> gidNumber attribute.
> Ah, wow, just a moment ... my Domain Admins do have an gidNumber
> attribute because they also map to a special admin group on the
> GNU/Linux side.
>
> What's the problem with that? Where can I read further about this "never
> give Domain Admins a gidNumber attribute" thing?


It is in the wiki, but the the problem is down to Windows groups being 
able to own files and folders, something that normally cannot happen on 
Unix.

Normally, Domain Admins is mapped to 'ID_TYPE_BOTH' in idmap.ldb i.e. it 
is both a group and a user, but if you give Domain Admins a gidNumber, 
it turns the group into just a group and groups cannot own things on 
Unix and Domain Admins needs to own things in sysvol.

There are two ways around this, either do not give Domain Admins a 
gidNumber (I use a group called Unix Admins instead) or remove 
'idmap_ldb:use rfc2307 = yes' from the DC's smb.conf .



>
>> If, as you say, adding a GPO causes that message to appear in the
>> logs, then it looks like a bug, but there is a gotcha, your log
>> message refers to line 1086, the latest rpc_server.c code only has
>> 717 lines, so it might be an idea to upgrade Samba if possible, the
>> 'possible bug' may have been fixed.
> Well, Debian stable has Samba 4.9.5, so I even went with Debian testing
> in order to get at least Samba 4.13.5 when setting up the two new DCs.


Have a look here: https://apt.van-belle.nl/

Rowland