[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
L.P.H. van Belle
belle at bazuin.nl
Wed Mar 31 15:08:46 UTC 2021
I'll try..
Line 18-23.
These SID's are common SID's ..
Then i can do the convertion of SID 2 UID(or GID)
DC_SERVER_OPERATORS_SID2UID="wbinfo --sid-to-uid=S-1-5-32-549"
wbinfo --sid-to-uid=S-1-5-32-549
3000001
This UID is only in the AD-DB (idmap.ldb as far i know).
now we are in the script at lines 52-79
i use wbinfo to find all known names/UIDs/groups and set that.
if you set uid/gid 3000001 then linux will resolve it.
If .. nsswitch also contains winbind
i use it like this on my AD-DC's
passwd: files systemd winbind
group: files systemd winbind
so next, root = Administrator on the AD-DC already (default mapping)
Thats basicly it, and i do that for all know 4, these.
DC_SERVER_OPERATORS="S-1-5-32-549"
DC_ADMINISTRATORS="S-1-5-32-544"
DC_SYSTEM="S-1-5-18"
DC_AUTHENTICATED_USERS="S-1-5-11"
so.. how do i get :
# file: var/lib/samba/sysvol/
# owner: root
# group: BUILTIN\\administrators
we know : 300001 = BUILTIN\\administrators
so, chmod root:300001
We cant use : root:"BUILTIN\\administrators"
because thats not know in linux groups itself.
But the id's will resolved with nsswitch.
I hope that helped..
if not, office closing, im back tomorrow to reply.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Stefan Bellon [mailto:bellon at axivion.com]
> Verzonden: woensdag 31 maart 2021 16:47
> Aan: samba at lists.samba.org
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Failed to prepare gensec:
> NT_STATUS_INVALID_SERVER_STATE
>
> On Wed, 31 Mar, L.P.H. van Belle via samba wrote:
>
> > This is my output. (Version 4.13.7-Debian)
> > Still from the same script (as used above)
> >
> > getfacl /var/lib/samba/sysvol/
> > getfacl: Removing leading '/' from absolute path names
> > # file: var/lib/samba/sysvol/
> > # owner: root
> > # group: BUILTIN\\administrators
>
> Please help me understand ... I fail to see how the script you linked
> - with the content -
>
> Create_DC_SYVOL_ACL_FILE () {
> Get_DC_SERVER_OPERATORS
> Get_DC_ADMINISTRATORS
> Get_DC_SYSTEM
> Get_DC_AUTHENTICATED_USERS
>
> RIGHTSFILE="default-rights-sysvol.acl"
> cat << EOF > "${RIGHTSFILE}"
> # file: ${DC_SYSVOL_PATH}
> # owner: root
> # group: root
>
> can create something different than
>
> # group: root
>
> in its output ... :-}
>
> Samba 4.13.5 from Debian Bullseye (testing), BTW.
>
> Greetings,
> Stefan
>
> --
> Stefan Bellon
More information about the samba
mailing list