[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
Rowland penny
rpenny at samba.org
Wed Mar 31 11:15:19 UTC 2021
On 31/03/2021 12:03, Stefan Bellon via samba wrote:
> On Wed, 31 Mar, Andrew Bartlett via samba wrote:
>
>> On Wed, 2021-03-31 at 09:06 +0200, Stefan Bellon via samba wrote:
>>> I have the feeling this is directly connected to sysvol
>>> permissions.
>> That would be incredibly unlikely. This is about failing to setup the
>> Kerberos code that accepts incoming tickets, so it could fail if the
>> DC things it is not a DC or can't find the secrets.ldb entry etc.
> I'm fully open to suggestions and ideas on how to debug this further.
>
> I can only tell you my observation, that after I do a "sysvolreset" and
> do not touch the sysvol at all, neither from GNU/Linux side nor from
> Windows side, then the log.smbd is completely free of those messages.
>
> As soon as I edit a group policy on the windows side, the messages
> appear in the log and also sysvolcheck reports issues.
Have you modified your users or groups in any way ?
>
> Are the permissions that I showed in my last email correct? Is it
> expected that on the GNU/Linux side the uid and gid of those folders is
> something in the 3000000 range?
Yes, as standard, all users and groups on a Samba AD DC have ID's in the
'3000000' range.
> Or is it expected that those belong to
> root:root below sysvol?
No it isn't.
What is the output of 'sudo samba-tool ntacl get /var/lib/samba/sysvol
--as-sddl'
Rowland
>
> Greetings,
> Stefan
>
More information about the samba
mailing list