[Samba] Fwd: Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE

Thu Nov 4 13:22:40 UTC 2021

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marcel de Reuver via samba
> Verzonden: donderdag 4 november 2021 13:35
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Fwd: Failed to prepare gensec: 
> NT_STATUS_INVALID_SERVER_STATE
> 
> >> My setup:
> >> Collected config --- 2021-11-03-11:55 -----------
> >>
> >> Hostname: DC002
> >> DNS Domain: ad.bib.lan
> >> FQDN: DC002.ad.bib.lan
> >> ipaddress: 10.97.37.4
> >>
> >> -----------
> > https://tools.ietf.org/id/draft-chapin-rfc2606bis-00.html
> >
> > the list of names that may not be used for top-level 
> domains the following labels:
> >
> > .local
> > .localdomain
> > .domain
> > .lan
> > .home
> > .host
> > .corp
> >
> > Now, note that .lan is in there.. But.. Its not that a big problem..
> >
> > If you config nsswitch.conf correctly (better) or if you enable
> > publish-resolv-conf-dns-servers in avahi-daemon.conf.
> > the file /etc/resolv.conf will be read, too.
> 
> 
> Unfortunately a discussion about the correct top level domain 
> will not resolve the log messages.

Im not discussing it, im just pointing to "configure it correctly"

> 
> 
> >
> > What i removed from the debug output, like Rowland also 
> said, all good.
> >
> >> -----------
> >>
> >>          Checking file: /etc/krb5.conf
> >>
> >> [libdefaults]
> >>    default_realm = AD.BIB.LAN
> >>    dns_lookup_realm = false
> >>    dns_lookup_kdc = true
> >>
> >> [realms]
> >> AD.BIB.LAN = {
> >>    default_domain = ad.bib.lan
> >> }
> >>
> >> [domain_realm]
> >>    DC002 = AD.BIB.LAN
> >
> > All you need here is :
> > [libdefaults]
> >          default_realm = AD.BIB.LAN
> >
> > # The following krb5.conf variables are only for MIT Kerberos.
> >          kdc_timesync = 1
> >          ccache_type = 4
> >          forwardable = true
> >          proxiable = true
> >
> > The rest are default settings.
> >
> 
> My /etc/krb5.conf is a copy of the one in /var/lib/samba/private/

On debian, in all cases, if you enter the realm correctly. 
That what's produced at install is fine to run a "normal" samba-ad network. 

> 
> 
> >> -----------
> >>
> >>          Checking file: /etc/nsswitch.conf
> >>
> >> # /etc/nsswitch.conf
> >> #
> >> # Example configuration of GNU Name Service Switch functionality.
> >> # If you have the `glibc-doc-reference' and `info' packages
> >> installed, try:
> >> # `info libc "Name Service Switch"' for information about 
> this file.
> >>
> >> passwd: files systemd winbind
> >> group: files systemd winbind
> >> shadow: files
> >> gshadow: files
> >>
> >> hosts: files mdns4_minimal [NOTFOUND=return] dns
> > OR enable publish-resolv-conf-dns-servers in avahi-daemon.conf
> > And keep as is, or dont and change to this. (moved dns more 
> to front)
> > hosts: files dns mdns4_minimal [NOTFOUND=return]
> >
> >
> >> networks: files
> >>
> >> protocols: db files
> >> services: db files
> >> ethers: db files
> >> rpc: db files
> >>
> >> netgroup: nis
> >>
> >> -----------
> >>
> >>          Checking file: /etc/samba/smb.conf
> >>
> >> # Global parameters
> > ...
> >
> >>       winbind enum users = yes
> >>       winbind enum groups = yes
> > You should set these to "no"
> > Use getent passwd username to see of its all ok.
> >
> 
> I've made the suggested changes and the log messages continue.

I found in some older list messages a reply of Andrew. 

> Andrew Bartlett via samba
> Verzonden: woensdag 31 maart 2021 9:17
> Aan: Stefan Bellon; Stefan Bellon via samba
> Onderwerp: Re: [Samba] Failed to prepare gensec: 
> NT_STATUS_INVALID_SERVER_STATE

> This is about failing to setup the
> Kerberos code that accepts incoming tickets, so it could fail if the DC
> things it is not a DC or can't find the secrets.ldb entry etc.

If this is the first AD-DC. 
Stop samba-ad-dc 

Whipe the samba data, rename the smb.conf and re-provision. 
Leave everything else as it. 

Clean /var/cache/samba/ and /var/lib/samba and there subfolders 
Dont remove the subfolders, if you do, recreate these. 

The other option, remove (de-install) samba winbind 
Clean /var/cache/samba/ and /var/lib/samba and there subfolders 
Reinstall and reprovision. 

Greetz, 

Louis