[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

Rowland penny rpenny at samba.org
Wed Mar 31 17:52:58 UTC 2021 

On 31/03/2021 18:09, Stefan Bellon via samba wrote:
> On Wed, 31 Mar, L.P.H. van Belle via samba wrote:
>
>> I'll try..
> [...]
>> I hope that helped..
> Thanks for explaining the conversion. But I am still uncertain of what
> my actual problem is.
>
> Here I have the following mapping:
>
> root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000000)
> BUILTIN\Administrators 4
> root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000001)
> BUILTIN\Server Operators 4
> root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000002)
> NT AUTHORITY\SYSTEM 5
> root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000003)
> NT AUTHORITY\Authenticated Users 5
> root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000004)
> DS\Group Policy Creator Owners 2
> root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000006)
> DS\Enterprise Admins 2
> root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000008)
> DS\Domain Admins 2
> root at dc1:~# wbinfo --sid-to-name=$(wbinfo --uid-to-sid=3000010)
> NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS 5
>
> And those permissions/attributes set:
>
> root at dc1:~# getfacl /var/lib/samba/sysvol/
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> root at dc1:~# getfacl /var/lib/samba/sysvol/xxx/Policies/
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/xxx/Policies/
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> user:3000004:rwx
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> group:3000004:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:user:3000004:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:3000004:rwx
> default:mask::rwx
> default:other::---
>
> root at dc1:~#
> getfacl /var/lib/samba/sysvol/xxx/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
> getfacl: Removing leading '/' from absolute path names # file:
> var/lib/samba/sysvol/xxx/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
> # owner: 3000008 # group: 3000008
> user::rwx
> user:3000002:rwx
> user:3000003:r-x
> user:3000006:rwx
> user:3000010:r-x
> group::rwx
> group:3000002:rwx
> group:3000003:r-x
> group:3000006:rwx
> group:3000008:rwx
> group:3000010:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:user:3000006:rwx
> default:user:3000008:rwx
> default:user:3000010:r-x
> default:group::---
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:3000006:rwx
> default:group:3000008:rwx
> default:group:3000010:r-x
> default:mask::rwx
> default:other::---
>
> root at dc1:~# samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
> O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
>
> root at dc1:~# samba-tool ntacl
> get /var/lib/samba/sysvol/xxx/Policies/ --as-sddl
> O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)
>
> root at dc1:~# samba-tool ntacl
> get /var/lib/samba/sysvol/xxx/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
> --as-sddl
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>
> This is actually the identical state of DC1 and DC2 after I did a
> "samba-tool ntacl sysvolreset" and not changed anything thereafter.
>
> Do I understand this right, that already in those
> permissions/attributes there is something wrong?
>
> Greetings,
> Stefan
>
No, there is nothing wrong with anything you have posted and as Andrew 
has already stated, your error message shouldn't have anything to do 
with sysvol.

At one time, running sysvolreset could wreck the permissions, this 
appears to have been because winbind couldn't map all the required 
SID's. This has been fixed, so you can now depend on 
sysvolreset/sysvolcheck, provided you never give Domain Admins a 
gidNumber attribute.

If, as you say, adding a GPO causes that message to appear in the logs, 
then it looks like a bug, but there is a gotcha, your log message refers 
to line 1086, the latest rpc_server.c code only has 717 lines, so it 
might be an idea to upgrade Samba if possible, the 'possible bug' may 
have been fixed.

Rowland

More information about the samba mailing list