[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

Rowland penny rpenny at samba.org
Wed Mar 31 13:45:03 UTC 2021


On 31/03/2021 13:56, Stefan Bellon wrote:
> Thanks a lot for helping me with this issue, very much appreciated.
>
> On Wed, 31 Mar, Rowland penny via samba wrote:
>> On 31/03/2021 12:03, Stefan Bellon via samba wrote:
>>
>>> As soon as I edit a group policy on the windows side, the messages
>>> appear in the log and also sysvolcheck reports issues.
>> Have you modified your users or groups in any way ?
> I have not knowingly. I cannot say for sure regarding people that
> worked on the old Samba domain before it was handed over to me to take
> care of it.
>
>>> Are the permissions that I showed in my last email correct? Is it
>>> expected that on the GNU/Linux side the uid and gid of those
>>> folders is something in the 3000000 range?
>> Yes, as standard, all users and groups on a Samba AD DC have ID's in
>> the '3000000' range.
>>
>>> Or is it expected that those belong to
>>> root:root below sysvol?
>> No it isn't.
> Then I'm wondering how the unison sysvol replication is supposed to
> work. After following
>
> https://wiki.samba.org/index.php/Bidirectional_Rsync/Unison_based_SysVol_replication_workaround
>
> I ended up getting the sysvol on DC2 with root:root and different UNIX
> permissions than on DC1 until I added
>
> owner=true
> group=true
> perms=0o1777
>
> to the /root/.unison/default.prf. With that I get an - at least to my
> eye - exact identical copy of sysvol on DC2.
>
>> What is the output of 'sudo samba-tool ntacl
>> get /var/lib/samba/sysvol --as-sddl'
> root at dc1:~# samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
> O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
>
> root at dc2:~# samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
> O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
>
> Greetings,
> Stefan
>

OK, I 'think' I may know what is going on here with unison and if I am 
correct, unless we can come up with a fix, we may have to recommend not 
using unison.

O:LAG:BA is:
O = owner
LA = local Administrator
G = group
BA = BUILTIN\Administrators

I 'think' unison is somehow mapping 'BUILTIN\Administrators' to 'root'

Rowland





More information about the samba mailing list