[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
Stefan Bellon
bellon at axivion.com
Wed Mar 31 13:51:42 UTC 2021
On Wed, 31 Mar, Rowland penny via samba wrote:
> > default-rights-sysvol.acl looks identical on both DC1 and DC2:
> > # file: /var/lib/samba/sysvol
> > # owner: root
> > # group: root
>
> There is a problem, the group should be BUILTIN\\administrators which
> on my DC is 3000000:
>
> getfacl /var/lib/samba/sysvol
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol
> # owner: root
> # group: 3000000
Interestingly enough, when directly using getfacl
on /var/lib/samba/sysvol, I *also* get the group as 3000000 (on both
DCs):
root at dc1:~# getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
root at dc2:~# getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
The output I pasted last time was the output of the script
samba-check-set-sysvol.sh where group is listed as "root" as opposed to
"3000000" when calling getfacl directly ...
Does this shed any lights on something? ;-)
> > I can confirm that when doing "klist", the ticket cache is in files
> > named /tmp/krb5cc_%{euid}_%{something} for all users except root,
> > where the ticket cache is /tmp/krb5cc_0 without the suffix.
>
> That is Administrator's ticket, not root's
Ok, yes, sorry, I got confused because for test purposes I fetched the
ticket with user root, but of course I did "kinit administrator".
> > Not sure whether this is my setup ... I do not mount shares on UNIX
> > side at all, it's just the netlogon/sysvol stuff for Windows.
>
> Er, netlogon & sysvol are shares 😁
Right you are. ;-)
What I meant to say is, that I do not mount those shares on GNU/Linux
and therefore I am not sure whether
> Shares on clients are mounted with multiuser,cifsacl via autofs.
> (fstype=cifs,rw,multiuser,cifsacl,username=cifsmount,soft,sec=krb5i,vers=3.0)
applies to me setup.
> > So, do you suggest I add
> >
> > [libdefaults]
> > default_ccache_name = FILE:/tmp/krb5cc_%{euid}
> >
> > to /etc/samba/smb.conf?
>
> No and not even to /etc/krb5.conf
Sorry, /etc/krb5.conf it is.
> > Would that however explain why sysvolcheck fails as soon as I did
> > some edit operation on the Windows side?
>
> I personally think it is probably the wrong group ownership on
> /var/lib/samba/sysvol, the question has to be, how did it become
> 'root' ?
I rather wonder why getfacl and samba-check-set-sysvol.sh produce a
different output regarding the "group" membership.
Greetings,
Stefan
--
Stefan Bellon
More information about the samba
mailing list