[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

Wed Mar 31 13:58:54 UTC 2021

On 31/03/2021 14:51, Stefan Bellon wrote:
> On Wed, 31 Mar, Rowland penny via samba wrote:
>
>>> default-rights-sysvol.acl looks identical on both DC1 and DC2:
>>> # file: /var/lib/samba/sysvol
>>> # owner: root
>>> # group: root
>> There is a problem, the group should be BUILTIN\\administrators which
>> on my DC is 3000000:
>>
>> getfacl /var/lib/samba/sysvol
>> getfacl: Removing leading '/' from absolute path names
>> # file: var/lib/samba/sysvol
>> # owner: root
>> # group: 3000000
> Interestingly enough, when directly using getfacl
> on /var/lib/samba/sysvol, I *also* get the group as 3000000 (on both
> DCs):
>
> root at dc1:~# getfacl /var/lib/samba/sysvol/
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> root at dc2:~# getfacl /var/lib/samba/sysvol/
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> The output I pasted last time was the output of the script
> samba-check-set-sysvol.sh where group is listed as "root" as opposed to
> "3000000" when calling getfacl directly ...
>
> Does this shed any lights on something? ;-)
>
>>> I can confirm that when doing "klist", the ticket cache is in files
>>> named /tmp/krb5cc_%{euid}_%{something} for all users except root,
>>> where the ticket cache is /tmp/krb5cc_0 without the suffix.
>> That is Administrator's ticket, not root's
> Ok, yes, sorry, I got confused because for test purposes I fetched the
> ticket with user root, but of course I did "kinit administrator".
>
>>> Not sure whether this is my setup ... I do not mount shares on UNIX
>>> side at all, it's just the netlogon/sysvol stuff for Windows.
>> Er, netlogon & sysvol are shares 😁
> Right you are. ;-)
>
> What I meant to say is, that I do not mount those shares on GNU/Linux
> and therefore I am not sure whether
>
>> Shares on clients are mounted with multiuser,cifsacl via autofs.
>> (fstype=cifs,rw,multiuser,cifsacl,username=cifsmount,soft,sec=krb5i,vers=3.0)
> applies to me setup.
>
>>> So, do you suggest I add
>>>
>>> [libdefaults]
>>>       default_ccache_name = FILE:/tmp/krb5cc_%{euid}
>>>
>>> to /etc/samba/smb.conf?
>> No and not even to /etc/krb5.conf
> Sorry, /etc/krb5.conf it is.
>
>>> Would that however explain why sysvolcheck fails as soon as I did
>>> some edit operation on the Windows side?
>> I personally think it is probably the wrong group ownership on
>> /var/lib/samba/sysvol, the question has to be, how did it become
>> 'root' ?
> I rather wonder why getfacl and samba-check-set-sysvol.sh produce a
> different output regarding the "group" membership.
>
> Greetings,
> Stefan
>
Because the script is wrong (and you can ignore my post about unison), 
give me some time and I will reconfigure the script.

Rowland