[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

Rowland penny rpenny at samba.org
Wed Mar 31 13:30:11 UTC 2021

On 31/03/2021 14:09, Stefan Bellon via samba wrote:
> First of all, thanks for your help and suggestions. Very much welcome.
> default-rights-sysvol.acl looks identical on both DC1 and DC2:
> # file: /var/lib/samba/sysvol
> # owner: root
> # group: root

There is a problem, the group should be BUILTIN\\administrators which on 
my DC is 3000000:

getfacl /var/lib/samba/sysvol
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: 3000000

> I can confirm that when doing "klist", the ticket cache is in files
> named /tmp/krb5cc_%{euid}_%{something} for all users except root, where
> the ticket cache is /tmp/krb5cc_0 without the suffix.

That is Administrator's ticket, not root's

> Not sure whether this is my setup ... I do not mount shares on UNIX
> side at all, it's just the netlogon/sysvol stuff for Windows.

Er, netlogon & sysvol are shares 😁

> So, do you suggest I add
> [libdefaults]
>      default_ccache_name = FILE:/tmp/krb5cc_%{euid}
> to /etc/samba/smb.conf?

No and not even to /etc/krb5.conf

> Would that however explain why sysvolcheck fails as soon as I did some
> edit operation on the Windows side?

I personally think it is probably the wrong group ownership on 
/var/lib/samba/sysvol, the question has to be, how did it become 'root' ?


More information about the samba mailing list