[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE
Stefan Bellon
bellon at axivion.com
Wed Mar 31 17:09:51 UTC 2021
On Wed, 31 Mar, L.P.H. van Belle via samba wrote:
> I'll try..
[...]
> I hope that helped..
Thanks for explaining the conversion. But I am still uncertain of what
my actual problem is.
Here I have the following mapping:
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000000)
BUILTIN\Administrators 4
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000001)
BUILTIN\Server Operators 4
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000002)
NT AUTHORITY\SYSTEM 5
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000003)
NT AUTHORITY\Authenticated Users 5
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000004)
DS\Group Policy Creator Owners 2
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000006)
DS\Enterprise Admins 2
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000008)
DS\Domain Admins 2
root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000010)
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS 5
And those permissions/attributes set:
root at dc1:~# getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
root at dc1:~# getfacl /var/lib/samba/sysvol/xxx/Policies/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/xxx/Policies/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
user:3000004:rwx
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
group:3000004:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000004:rwx
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000004:rwx
default:mask::rwx
default:other::---
root at dc1:~#
getfacl /var/lib/samba/sysvol/xxx/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
getfacl: Removing leading '/' from absolute path names # file:
var/lib/samba/sysvol/xxx/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
# owner: 3000008 # group: 3000008
user::rwx
user:3000002:rwx
user:3000003:r-x
user:3000006:rwx
user:3000010:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000008:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000008:rwx
default:user:3000010:r-x
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000006:rwx
default:group:3000008:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---
root at dc1:~# samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
root at dc1:~# samba-tool ntacl
get /var/lib/samba/sysvol/xxx/Policies/ --as-sddl
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)
root at dc1:~# samba-tool ntacl
get /var/lib/samba/sysvol/xxx/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
--as-sddl
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
This is actually the identical state of DC1 and DC2 after I did a
"samba-tool ntacl sysvolreset" and not changed anything thereafter.
Do I understand this right, that already in those
permissions/attributes there is something wrong?
Greetings,
Stefan
More information about the samba
mailing list