[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

Stefan Bellon bellon at axivion.com
Wed Mar 31 13:09:30 UTC 2021 

First of all, thanks for your help and suggestions. Very much welcome.

On Wed, 31 Mar, L.P.H. van Belle via samba wrote:

> Run this one : 
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh 
> 
> And post the output, looking at our output below, 3000006 and 3000010
> should not be there,  in these outputs. So run this on both DC's and
> compair the output files.

default-rights-sysvol.acl looks identical on both DC1 and DC2:

# file: /var/lib/samba/sysvol
# owner: root
# group: root
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

> You might have forgotten to sync the idmap.tdb on the DC's. See:
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory

Before I touched anything, I wrote up a guide of how to do the setup
and migration. I played it trough completely in a playground
environment with three VMs "testolddc", "testdc1", and "testdc2". After
that "succeeded", I did the exact same steps when doing the real "dc1"
and "dc". My documentation includes the following steps:

- on main DC1:
# rm -f /var/lib/samba/private/idmap.ldb.bak
# tdbbackup -s .bak /var/lib/samba/private/idmap.ldb
# scp /var/lib/samba/private/idmap.ldb.bak DC2

- on new DC2:
# chown root.root /var/lib/samba/private/idmap.ldb.bak
#
  mv /var/lib/samba/private/idmap.ldb.bak /var/lib/samba/private/idmap.ldb

# net cache flush
# samba-tool ntacl sysvolcheck
# samba-tool ntacl sysvolreset
# samba-tool ntacl sysvolcheck

That's what I did.

> Quote : To use a Sysvol Replication workaround, all domain
> controllers (DC) must use the same ID mappings for built-in users and
> groups. these should always be the same on all AD-DC's. And the
> 300000 range is correct for the AD-DC's.. 

I set up DC1 and DC2 from scratch in parallel (i.e. they have the same
packages installed and the same users and groups set up), using the same
Debian Bullseye image and my same step-by-step guide.

> You might want to read Debian bug , maybe it applies, i dont know,
> i've not seen it in my network.
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986168

I can confirm that when doing "klist", the ticket cache is in files
named /tmp/krb5cc_%{euid}_%{something} for all users except root, where
the ticket cache is /tmp/krb5cc_0 without the suffix.

> This may be related to Debian bug: 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968943

Not sure whether this is my setup ... I do not mount shares on UNIX
side at all, it's just the netlogon/sysvol stuff for Windows.

> It is almost surely related to Ubuntu bug number # 1900856:
> https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1900856
> (last 2 additions are from the bug report #986168)
> 
> See if this applied to you, not on the cifs part
> but on the kerberos cache part

So, do you suggest I add

[libdefaults]
    default_ccache_name = FILE:/tmp/krb5cc_%{euid}

to /etc/samba/smb.conf?

Would that however explain why sysvolcheck fails as soon as I did some
edit operation on the Windows side?

Greetings,
Stefan

-- 
Stefan Bellon

More information about the samba mailing list