[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

Wed Mar 31 13:51:42 UTC 2021

On Wed, 31 Mar, Rowland penny via samba wrote:

> > default-rights-sysvol.acl looks identical on both DC1 and DC2:
> > # file: /var/lib/samba/sysvol
> > # owner: root
> > # group: root  
> 
> There is a problem, the group should be BUILTIN\\administrators which
> on my DC is 3000000:
> 
> getfacl /var/lib/samba/sysvol
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol
> # owner: root
> # group: 3000000

Interestingly enough, when directly using getfacl
on /var/lib/samba/sysvol, I *also* get the group as 3000000 (on both
DCs):

root at dc1:~# getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

root at dc2:~# getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

The output I pasted last time was the output of the script
samba-check-set-sysvol.sh where group is listed as "root" as opposed to
"3000000" when calling getfacl directly ...

Does this shed any lights on something? ;-)

> > I can confirm that when doing "klist", the ticket cache is in files
> > named /tmp/krb5cc_%{euid}_%{something} for all users except root,
> > where the ticket cache is /tmp/krb5cc_0 without the suffix.  
> 
> That is Administrator's ticket, not root's

Ok, yes, sorry, I got confused because for test purposes I fetched the
ticket with user root, but of course I did "kinit administrator".

> > Not sure whether this is my setup ... I do not mount shares on UNIX
> > side at all, it's just the netlogon/sysvol stuff for Windows.  
> 
> Er, netlogon & sysvol are shares 😁

Right you are. ;-)

What I meant to say is, that I do not mount those shares on GNU/Linux
and therefore I am not sure whether

> Shares on clients are mounted with multiuser,cifsacl via autofs.
> (fstype=cifs,rw,multiuser,cifsacl,username=cifsmount,soft,sec=krb5i,vers=3.0)

applies to me setup.

> > So, do you suggest I add
> >
> > [libdefaults]
> >      default_ccache_name = FILE:/tmp/krb5cc_%{euid}
> >
> > to /etc/samba/smb.conf?  
> 
> No and not even to /etc/krb5.conf

Sorry, /etc/krb5.conf it is.

> > Would that however explain why sysvolcheck fails as soon as I did
> > some edit operation on the Windows side?  
> 
> I personally think it is probably the wrong group ownership on 
> /var/lib/samba/sysvol, the question has to be, how did it become
> 'root' ?

I rather wonder why getfacl and samba-check-set-sysvol.sh produce a
different output regarding the "group" membership.

Greetings,
Stefan

-- 
Stefan Bellon