[Samba] Fwd: Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

L.P.H. van Belle belle at bazuin.nl
Wed Nov 3 15:27:50 UTC 2021 

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marcel de Reuver via samba
> Verzonden: woensdag 3 november 2021 13:58
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Fwd: Failed to prepare gensec: 
> NT_STATUS_INVALID_SERVER_STATE
> 
....... 
> My setup:
> Collected config --- 2021-11-03-11:55 -----------
> 
> Hostname: DC002
> DNS Domain: ad.bib.lan
> FQDN: DC002.ad.bib.lan
> ipaddress: 10.97.37.4
> 
> -----------
https://tools.ietf.org/id/draft-chapin-rfc2606bis-00.html 

the list of names that may not be used for top-level domains the following labels:

.local
.localdomain
.domain
.lan
.home
.host
.corp

Now, note that .lan is in there.. But.. Its not that a big problem..

If you config nsswitch.conf correctly (better) or if you enable 
publish-resolv-conf-dns-servers in avahi-daemon.conf. 
the file /etc/resolv.conf will be read, too.

What i removed from the debug output, like Rowland also said, all good. 

> -----------
> 
>         Checking file: /etc/krb5.conf
> 
> [libdefaults]
>   default_realm = AD.BIB.LAN
>   dns_lookup_realm = false
>   dns_lookup_kdc = true
> 
> [realms]
> AD.BIB.LAN = {
>   default_domain = ad.bib.lan
> }
> 
> [domain_realm]
>   DC002 = AD.BIB.LAN


All you need here is : 
[libdefaults]
        default_realm = AD.BIB.LAN

# The following krb5.conf variables are only for MIT Kerberos.
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

The rest are default settings.


> 
> -----------
> 
>         Checking file: /etc/nsswitch.conf
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd: files systemd winbind
> group: files systemd winbind
> shadow: files
> gshadow: files
> 
> hosts: files mdns4_minimal [NOTFOUND=return] dns

OR enable publish-resolv-conf-dns-servers in avahi-daemon.conf  
And keep as is, or dont and change to this. (moved dns more to front)
hosts: files dns mdns4_minimal [NOTFOUND=return]


> networks: files
> 
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> 
> netgroup: nis
> 
> -----------
> 
>         Checking file: /etc/samba/smb.conf
> 
> # Global parameters
... 

>      winbind enum users = yes
>      winbind enum groups = yes
You should set these to "no" 
Use getent passwd username to see of its all ok. 


Greetz, 

Louis

More information about the samba mailing list