[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

L.P.H. van Belle belle at bazuin.nl
Wed Mar 31 11:22:43 UTC 2021

Run this one : 

And post the output, looking at our output below, 3000006 and 3000010 should not be there,  in these outputs. 
So run this on both DC's and compair the output files. 
You might have forgotten to sync the idmap.tdb on the DC's. 
See: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory 
Quote : To use a Sysvol Replication workaround, all domain controllers (DC) must use the same ID mappings for built-in users and groups. 
these should always be the same on all AD-DC's. 
And the 300000 range is correct for the AD-DC's.. 

You might want to read Debian bug , maybe it applies, i dont know, i've not seen it in my network. 

This may be related to Debian bug: 

It is almost surely related to Ubuntu bug number # 1900856:
(last 2 additions are from the bug report #986168)

See if this applied to you, not on the cifs part
but on the kerberos cache part

+ what Rowland said. ;-) good i checked the list before i mailed this. 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan Bellon via
> samba
> Verzonden: woensdag 31 maart 2021 13:03
> Aan: Andrew Bartlett via samba
> CC: Andrew Bartlett
> Onderwerp: Re: [Samba] Failed to prepare gensec:
> On Wed, 31 Mar, Andrew Bartlett via samba wrote:
> > On Wed, 2021-03-31 at 09:06 +0200, Stefan Bellon via samba wrote:
> > > I have the feeling this is directly connected to sysvol
> > > permissions.
> >
> > That would be incredibly unlikely.  This is about failing to setup the
> > Kerberos code that accepts incoming tickets, so it could fail if the
> > DC things it is not a DC or can't find the secrets.ldb entry etc.
> I'm fully open to suggestions and ideas on how to debug this further.
> I can only tell you my observation, that after I do a "sysvolreset" and
> do not touch the sysvol at all, neither from GNU/Linux side nor from
> Windows side, then the log.smbd is completely free of those messages.
> As soon as I edit a group policy on the windows side, the messages
> appear in the log and also sysvolcheck reports issues.
> Are the permissions that I showed in my last email correct? Is it
> expected that on the GNU/Linux side the uid and gid of those folders is
> something in the 3000000 range? Or is it expected that those belong to
> root:root below sysvol?
> Greetings,
> Stefan
> --
> Stefan Bellon
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list