[Samba] Fwd: Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

Marcel de Reuver marcel at de.reuver.org
Thu Nov 4 12:34:57 UTC 2021 

>> My setup:
>> Collected config --- 2021-11-03-11:55 -----------
>>
>> Hostname: DC002
>> DNS Domain: ad.bib.lan
>> FQDN: DC002.ad.bib.lan
>> ipaddress: 10.97.37.4
>>
>> -----------
> https://tools.ietf.org/id/draft-chapin-rfc2606bis-00.html
>
> the list of names that may not be used for top-level domains the following labels:
>
> .local
> .localdomain
> .domain
> .lan
> .home
> .host
> .corp
>
> Now, note that .lan is in there.. But.. Its not that a big problem..
>
> If you config nsswitch.conf correctly (better) or if you enable
> publish-resolv-conf-dns-servers in avahi-daemon.conf.
> the file /etc/resolv.conf will be read, too.


Unfortunately a discussion about the correct top level domain will not 
resolve the log messages.


>
> What i removed from the debug output, like Rowland also said, all good.
>
>> -----------
>>
>>          Checking file: /etc/krb5.conf
>>
>> [libdefaults]
>>    default_realm = AD.BIB.LAN
>>    dns_lookup_realm = false
>>    dns_lookup_kdc = true
>>
>> [realms]
>> AD.BIB.LAN = {
>>    default_domain = ad.bib.lan
>> }
>>
>> [domain_realm]
>>    DC002 = AD.BIB.LAN
>
> All you need here is :
> [libdefaults]
>          default_realm = AD.BIB.LAN
>
> # The following krb5.conf variables are only for MIT Kerberos.
>          kdc_timesync = 1
>          ccache_type = 4
>          forwardable = true
>          proxiable = true
>
> The rest are default settings.
>

My /etc/krb5.conf is a copy of the one in /var/lib/samba/private/


>> -----------
>>
>>          Checking file: /etc/nsswitch.conf
>>
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages
>> installed, try:
>> # `info libc "Name Service Switch"' for information about this file.
>>
>> passwd: files systemd winbind
>> group: files systemd winbind
>> shadow: files
>> gshadow: files
>>
>> hosts: files mdns4_minimal [NOTFOUND=return] dns
> OR enable publish-resolv-conf-dns-servers in avahi-daemon.conf
> And keep as is, or dont and change to this. (moved dns more to front)
> hosts: files dns mdns4_minimal [NOTFOUND=return]
>
>
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>>
>> -----------
>>
>>          Checking file: /etc/samba/smb.conf
>>
>> # Global parameters
> ...
>
>>       winbind enum users = yes
>>       winbind enum groups = yes
> You should set these to "no"
> Use getent passwd username to see of its all ok.
>

I've made the suggested changes and the log messages continue.

More information about the samba mailing list