[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
Rowland penny
rpenny at samba.org
Wed Mar 31 13:30:11 UTC 2021
On 31/03/2021 14:09, Stefan Bellon via samba wrote:
> First of all, thanks for your help and suggestions. Very much welcome.
>
>
> default-rights-sysvol.acl looks identical on both DC1 and DC2:
> # file: /var/lib/samba/sysvol
> # owner: root
> # group: root
There is a problem, the group should be BUILTIN\\administrators which on
my DC is 3000000:
getfacl /var/lib/samba/sysvol
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: 3000000
> I can confirm that when doing "klist", the ticket cache is in files
> named /tmp/krb5cc_%{euid}_%{something} for all users except root, where
> the ticket cache is /tmp/krb5cc_0 without the suffix.
That is Administrator's ticket, not root's
> Not sure whether this is my setup ... I do not mount shares on UNIX
> side at all, it's just the netlogon/sysvol stuff for Windows.
Er, netlogon & sysvol are shares 😁
> So, do you suggest I add
>
> [libdefaults]
> default_ccache_name = FILE:/tmp/krb5cc_%{euid}
>
> to /etc/samba/smb.conf?
No and not even to /etc/krb5.conf
>
> Would that however explain why sysvolcheck fails as soon as I did some
> edit operation on the Windows side?
I personally think it is probably the wrong group ownership on
/var/lib/samba/sysvol, the question has to be, how did it become 'root' ?
Rowland
More information about the samba
mailing list