[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

Rowland penny rpenny at samba.org
Wed Mar 31 11:15:19 UTC 2021


On 31/03/2021 12:03, Stefan Bellon via samba wrote:
> On Wed, 31 Mar, Andrew Bartlett via samba wrote:
>
>> On Wed, 2021-03-31 at 09:06 +0200, Stefan Bellon via samba wrote:
>>> I have the feeling this is directly connected to sysvol
>>> permissions.
>> That would be incredibly unlikely.  This is about failing to setup the
>> Kerberos code that accepts incoming tickets, so it could fail if the
>> DC things it is not a DC or can't find the secrets.ldb entry etc.
> I'm fully open to suggestions and ideas on how to debug this further.
>
> I can only tell you my observation, that after I do a "sysvolreset" and
> do not touch the sysvol at all, neither from GNU/Linux side nor from
> Windows side, then the log.smbd is completely free of those messages.
>
> As soon as I edit a group policy on the windows side, the messages
> appear in the log and also sysvolcheck reports issues.


Have you modified your users or groups in any way ?

>
> Are the permissions that I showed in my last email correct? Is it
> expected that on the GNU/Linux side the uid and gid of those folders is
> something in the 3000000 range?


Yes, as standard, all users and groups on a Samba AD DC have ID's in the 
'3000000' range.

> Or is it expected that those belong to
> root:root below sysvol?


No it isn't.

What is the output of 'sudo samba-tool ntacl get /var/lib/samba/sysvol 
--as-sddl'

Rowland


>
> Greetings,
> Stefan
>




More information about the samba mailing list