[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

Rowland penny rpenny at samba.org
Wed Mar 31 11:15:19 UTC 2021

On 31/03/2021 12:03, Stefan Bellon via samba wrote:
> On Wed, 31 Mar, Andrew Bartlett via samba wrote:
>> On Wed, 2021-03-31 at 09:06 +0200, Stefan Bellon via samba wrote:
>>> I have the feeling this is directly connected to sysvol
>>> permissions.
>> That would be incredibly unlikely.  This is about failing to setup the
>> Kerberos code that accepts incoming tickets, so it could fail if the
>> DC things it is not a DC or can't find the secrets.ldb entry etc.
> I'm fully open to suggestions and ideas on how to debug this further.
> I can only tell you my observation, that after I do a "sysvolreset" and
> do not touch the sysvol at all, neither from GNU/Linux side nor from
> Windows side, then the log.smbd is completely free of those messages.
> As soon as I edit a group policy on the windows side, the messages
> appear in the log and also sysvolcheck reports issues.

Have you modified your users or groups in any way ?

> Are the permissions that I showed in my last email correct? Is it
> expected that on the GNU/Linux side the uid and gid of those folders is
> something in the 3000000 range?

Yes, as standard, all users and groups on a Samba AD DC have ID's in the 
'3000000' range.

> Or is it expected that those belong to
> root:root below sysvol?

No it isn't.

What is the output of 'sudo samba-tool ntacl get /var/lib/samba/sysvol 


> Greetings,
> Stefan

More information about the samba mailing list