[Samba] Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

L.P.H. van Belle belle at bazuin.nl
Wed Nov 3 12:27:17 UTC 2021


I'm also having a bit hard time to read it, but i did notice at least these. 

Question for me also is, is this an AD-DC or Member server. 
Looks like its AD-DC.  
 
/etc/krb5.conf  ( this is, in a normal setup ) 
[libdefaults]
        default_realm = AD.BIB.LAN

# The following krb5.conf variables are only for MIT Kerberos.
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# Sufficient. ( thats the default krb5.conf at install, if REALM is supplied.

/etc/nsswitch.conf 
passwd:
> > files systemd winbind group: files systemd winbind shadow: files
> > gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns
> > networks: files protocols: db files services: db files ethers: db

In the hosts line 
Change this line : hosts: files mdns4_minimal [NOTFOUND=return] dns  
To
hosts: files dns mdns4_minimal [NOTFOUND=return]


/etc/samba/smb.conf 
refresh tickets = yes 
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab 

These should not be set for an AD-DC, (as far i know). 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: woensdag 3 november 2021 13:01
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to prepare gensec: 
> NT_STATUS_INVALID_SERVER_STATE
> 
> On Wed, 2021-11-03 at 12:01 +0100, Marcel de Reuver via samba wrote:
> > My logging is flooded with these notifications: [2021/11/03
> > 11:53:51.573128, 0]
> > 
> ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
> > dcesrv_auth_gensec_prepare: Failed to prepare gensec:
> > NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.683035, 0]
> > 
> ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
> > dcesrv_auth_gensec_prepare: Failed to prepare gensec:
> > NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.710025, 0]
> > 
> ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
> > dcesrv_auth_gensec_prepare: Failed to prepare gensec:
> > NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.842878, 0]
> > 
> ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
> > dcesrv_auth_gensec_prepare: Failed to prepare gensec:
> > NT_STATUS_INVALID_SERVER_STATE [2021/11/03 11:53:51.983252, 0]
> > 
> ../../source3/rpc_server/rpc_server.c:556(dcesrv_auth_gensec_prepare)
> > dcesrv_auth_gensec_prepare: Failed to prepare gensec:
> > NT_STATUS_INVALID_SERVER_STATE All seems to wo
> > 
> > rk but I am wondering what these messages meen. My setup: Collected
> > config --- 2021-11-03-11:55 ----------- Hostname: DC002 DNS Domain:
> > ad.bib.lan FQDN: DC002.ad.bib.lan ipaddress: 10.97.37.4 -----------
> > Kerberos SRV _kerberos._tcp.ad.bib.lan record verified ok, sample
> > output: Server: 10.97.37.4 Address: 10.97.37.4#53
> > _kerberos._tcp.ad.bib.lan service = 0 100 88 dc002.ad.bib.lan.
> > _kerberos._tcp.ad.bib.lan service = 0 100 88 dc003.ad.bib.lan. Samba
> > is running as an AD DC ----------- Checking file: /etc/os-release
> > NAME="Ubuntu" VERSION="20.04.3 LTS (Focal Fossa)" ID=ubuntu
> > ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.3 LTS" VERSION_ID="20.04"
> > HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="
> > https://help.ubuntu.com/" BUG_REPORT_URL="
> > https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="
> > https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
> > VERSION_CODENAME=focal UBUNTU_CODENAME=focal ----------- This
> > computer is running Ubuntu 20.04.3 LTS x86_64 ----------- running
> > command : ip a 
> > 
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> > group default qlen 1000 link/loopback 00:00:00:00:00:00 brd
> > 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope
> > host 2: eth0 at if80: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> > noqueue state UP group default qlen 1000 link/ether 
> 1e:b4:24:c3:c0:61
> > brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 10.97.37.4/24 brd
> > 10.97.37.255 scope global eth0 inet6 fe80::1cb4:24ff:fec3:c061/64
> > scope link ----------- Checking file: /etc/hosts 127.0.0.1 localhost
> > ::1 localhost ip6-localhost ip6-loopback ff02::1 
> ip6-allnodes ff02::2
> > ip6-allrouters # --- BEGIN PVE --- 10.97.37.4 DC002.ad.bib.lan DC002
> > # --- END PVE --- ----------- Checking file: /etc/resolv.conf # ---
> > BEGIN PVE --- search ad.bib.lan nameserver 10.97.37.4 nameserver
> > 10.97.36.7 # --- END PVE --- ----------- Checking file:
> > /etc/krb5.conf [libdefaults] default_realm = AD.BIB.LAN
> > dns_lookup_realm = false dns_lookup_kdc = true [realms] AD.BIB.LAN =
> > { default_domai
> > 
> > n = ad.bib.lan } [domain_realm] DC002 = AD.BIB.LAN -----------
> > Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example
> > configuration of GNU Name Service Switch functionality. # 
> If you have
> > the `glibc-doc-reference' and `info' packages installed, 
> try: # `info
> > libc "Name Service Switch"' for information about this file. passwd:
> > files systemd winbind group: files systemd winbind shadow: files
> > gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns
> > networks: files protocols: db files services: db files ethers: db
> > files rpc: db files netgroup: nis ----------- Checking file:
> > /etc/samba/smb.conf # Global parameters [global] netbios 
> name = DC002
> > realm = AD.BIB.LAN server role = active directory domain controller
> > workgroup = AD idmap_ldb:use rfc2307 = yes dns forwarder = 
> 10.97.37.5
> > 10.97.36.8 winbind enum users = yes winbind enum groups = 
> yes winbind
> > refresh tickets = yes dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab template shell = /bin/bas
> > 
> > h # Freeradius winbind use default domain = yes winbind max domain
> > connections = 5 winbind max clients = 1000 password server = * ldap
> > server require strong auth = no ntlm auth = mschapv2-and-ntlmv2-only
> > # log level = 3 # printing printing = cups load printers = yes
> > rpc_server:spoolss = external rpc_daemon:spoolssd = fork spoolss:
> > architecture = Windows x64 [sysvol] path = 
> /var/lib/samba/sysvol read
> > only = no [netlogon] path = /var/lib/samba/sysvol/ad.bib.lan/scripts
> > read only = no [printers] path = /var/spool/samba/ printable = yes
> > [print$] path = /srv/samba/printer_drivers/ read only = no 
> ----------
> > - BIND_DLZ not detected in smb.conf ----------- Installed packages:
> > ii acl 2.2.53-6 amd64 access control list - utilities ii attr
> > 1:2.4.48-5 amd64 utilities for manipulating filesystem extended
> > attributes ii krb5-config 2.6ubuntu1 all Configuration files for
> > Kerberos Version 5 ii krb5-locales 1.17-6ubuntu4.1 all
> > internationalization support for MIT Kerberos ii krb5-user 1.17-
> > 6ubuntu4.1 a
> > 
> > md64 basic programs to authenticate using MIT Kerberos ii
> > libacl1:amd64 2.2.53-6 amd64 access control list - shared library ii
> > libattr1:amd64 1:2.4.48-5 amd64 extended attribute handling - shared
> > library ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos
> > runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-
> > heimdal:amd64 7.7.0+dfsg-1ubuntu1 amd64 Heimdal Kerberos - libraries
> > ii libkrb5-3:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime
> > libraries ii libkrb5support0:amd64 1.17-6ubuntu4.1 amd64 
> MIT Kerberos
> > runtime libraries - Support library ii libnss-winbind:amd64
> > 2:4.15.1+dfsg-0.1focal1 amd64 Samba nameservice integration plugins
> > ii libpam-winbind:amd64 2:4.15.1+dfsg-0.1focal1 amd64 Windows domain
> > authentication integration plugin ii libwbclient0:amd64
> > 2:4.15.1+dfsg-0.1focal1 amd64 Samba winbind client library ii
> > python3-nacl 1.3.0-5 amd64 Python bindings to libsodium 
> (Python 3) ii
> > python3-samba 2:4.15.1+dfsg-0.1focal1 amd64 Python 3 bindings for
> > Samba ii samba 2:4.15.1+
> > 
> > dfsg-0.1focal1 amd64 SMB/CIFS file, print, and login server for Unix
> > ii samba-common 2:4.15.1+dfsg-0.1focal1 all common files 
> used by both
> > the Samba server and client ii samba-common-bin 2:4.15.1+dfsg-
> > 0.1focal1 amd64 Samba common files used by both the server and the
> > client ii samba-dsdb-modules:amd64 2:4.15.1+dfsg-0.1focal1 amd64
> > Samba Directory Services Database ii samba-libs:amd64 2:4.15.1+dfsg-
> > 0.1focal1 amd64 Samba core libraries ii samba-vfs-modules:amd64
> > 2:4.15.1+dfsg-0.1focal1 amd64 Samba Virtual FileSystem plugins ii
> > winbind 2:4.15.1+dfsg-0.1focal1 amd64 service to resolve user and
> > group information from Windows NT servers -----------
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> Do you think you can find a better mail client and try again, I cannot
> read the above.
> 
> Rowland
>  
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list