[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

L.P.H. van Belle belle at bazuin.nl
Wed Mar 31 15:08:46 UTC 2021 

I'll try.. 

Line 18-23. 
These SID's are common SID's .. 

Then i can do the convertion of SID 2 UID(or GID)

DC_SERVER_OPERATORS_SID2UID="wbinfo --sid-to-uid=S-1-5-32-549"

wbinfo --sid-to-uid=S-1-5-32-549
3000001

This UID is only in the AD-DB (idmap.ldb as far i know). 
now we are in the script at lines 52-79 

i use wbinfo to find all known names/UIDs/groups and set that. 

if you set uid/gid 3000001 then linux will resolve it. 
If .. nsswitch also contains winbind  
i use it like this on my AD-DC's

passwd:         files systemd winbind
group:          files systemd winbind

so next,  root = Administrator on the AD-DC already (default mapping) 

Thats basicly it, and i do that for all know 4, these. 

DC_SERVER_OPERATORS="S-1-5-32-549"
DC_ADMINISTRATORS="S-1-5-32-544"
DC_SYSTEM="S-1-5-18"
DC_AUTHENTICATED_USERS="S-1-5-11"

so.. how do i get : 
# file: var/lib/samba/sysvol/
# owner: root
# group: BUILTIN\\administrators

we know : 300001 = BUILTIN\\administrators 
so, chmod root:300001 

We cant use : root:"BUILTIN\\administrators" 
because thats not know in linux groups itself. 
But the id's will resolved with nsswitch. 

I hope that helped.. 

if not, office closing, im back tomorrow to reply. 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: Stefan Bellon [mailto:bellon at axivion.com]
> Verzonden: woensdag 31 maart 2021 16:47
> Aan: samba at lists.samba.org
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Failed to prepare gensec:
> NT_STATUS_INVALID_SERVER_STATE
> 
> On Wed, 31 Mar, L.P.H. van Belle via samba wrote:
> 
> > This is my output.  (Version 4.13.7-Debian)
> > Still from the same script (as used above)
> >
> > getfacl /var/lib/samba/sysvol/
> > getfacl: Removing leading '/' from absolute path names
> > # file: var/lib/samba/sysvol/
> > # owner: root
> > # group: BUILTIN\\administrators
> 
> Please help me understand ... I fail to see how the script you linked
> - with the content -
> 
> Create_DC_SYVOL_ACL_FILE () {
>     Get_DC_SERVER_OPERATORS
>     Get_DC_ADMINISTRATORS
>     Get_DC_SYSTEM
>     Get_DC_AUTHENTICATED_USERS
> 
>     RIGHTSFILE="default-rights-sysvol.acl"
>     cat << EOF > "${RIGHTSFILE}"
> # file: ${DC_SYSVOL_PATH}
> # owner: root
> # group: root
> 
> can create something different than
> 
> # group: root
> 
> in its output ... :-}
> 
> Samba 4.13.5 from Debian Bullseye (testing), BTW.
> 
> Greetings,
> Stefan
> 
> --
> Stefan Bellon

More information about the samba mailing list