[Samba] Failed to finalize nt token

Stefan G. Weichinger lists at xunil.at
Tue Jan 16 14:20:04 UTC 2018 

I am googling around for an issue and can't figure it out so far.

Status:

2 Debian 9.3 ADCs with samba-4.6.12 each.

1 Gentoo Samba Domain Member server "main",
Samba version 4.5.15 (we downgraded because of another issue a month ago
or so).

*one* AD user is able to log into his Windows10 PC, but doesn't get a
network share connected.

If I test that from the DM server or the DCs via smbclient it fails as well.

main # smbclient -L main  -U kamleitnerl%hispw
session setup failed: NT_STATUS_UNSUCCESSFUL


maybe https://bugzilla.samba.org/show_bug.cgi?id=10604, I am not sure.


--- log on main:

Processing section "[global]"
  doing parameter security = ADS
  doing parameter workgroup = ARBEITSGRUPPE
  doing parameter realm = arbeitsgruppe.hidden-tld.at
  doing parameter log file = /var/log/samba/%m.log
  doing parameter log level = 4
  doing parameter idmap config * : backend = tdb
  doing parameter idmap config * : range = 2000-3999
  doing parameter idmap config ARBEITSGRUPPE:backend = ad
  doing parameter idmap config ARBEITSGRUPPE:range = 10000-9999999
  doing parameter idmap config ARBEITSGRUPPE:schema_mode = rfc2307
  doing parameter winbind nss info = rfc2307
  doing parameter username map = /etc/samba/user.map
  doing parameter winbind use default domain = Yes
  doing parameter winbind refresh tickets = Yes
  doing parameter load printers = No
  doing parameter printcap name = /dev/null
  doing parameter vfs objects = acl_xattr
  doing parameter map acl inherit = yes
  doing parameter store dos attributes = yes
[2018/01/16 14:59:47.785383,  2]
../source3/param/loadparm.c:2685(lp_do_section)
  Processing section "[Daten]"
  doing parameter comment = Daten
  doing parameter path = /mnt/daten
  doing parameter valid users = @"ARBEITSGRUPPE\\domain users"
  doing parameter read only = No
  doing parameter create mask = 0660
  doing parameter directory mask = 0770
[2018/01/16 14:59:47.785477,  2]
../source3/param/loadparm.c:2685(lp_do_section)
  Processing section "[Scans_Plotter]"
  doing parameter comment = Scans vom Plotter
  doing parameter path = /mnt/daten/Allgemeines/_Scans/Plotter
  doing parameter valid users = @"ARBEITSGRUPPE\\domain users"
  doing parameter read only = No
  doing parameter create mask = 0660
  doing parameter directory mask = 0770
[2018/01/16 14:59:47.785568,  4]
../source3/param/loadparm.c:3780(lp_load_ex)
  pm_process() returned Yes
[2018/01/16 14:59:47.785588,  3]
../source3/param/loadparm.c:1585(lp_add_ipc)
  adding IPC service
[2018/01/16 14:59:47.786003,  1]
../source3/auth/token_util.c:430(add_local_groups)
  SID S-1-5-21-2777655458-4002997014-749295002-3147 -> getpwuid(10072)
failed
[2018/01/16 14:59:47.786025,  3]
../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
  Failed to finalize nt token
[2018/01/16 14:59:47.786035,  1]
../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
  Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
[2018/01/16 14:59:47.786082,  3]
../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:134
[2018/01/16 14:59:47.786504,  4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/01/16 14:59:47.786528,  4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/01/16 14:59:47.786538,  4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/01/16 14:59:47.786549,  4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/01/16 14:59:47.786663,  3]
../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)

-

main # wbinfo --sid-to-uid  S-1-5-21-2777655458-4002997014-749295002-3147
10072

(works)

main # wbinfo -i kamleitnerl
kamleitnerl:*:10072:10513::/home/kamleitnerl:/bin/false

(works)

We created a 2nd user kamleitnerl2, with this user things work (but we
need the 1st one to be able to keep the windows profile etc)

-

for reference: smb.conf of DM:

[global]
        security = ADS
        workgroup = ARBEITSGRUPPE
        realm = arbeitsgruppe.hidden-tld.at
        log file = /var/log/samba/%m.log
        log level = 4

        idmap config * : backend = tdb
        idmap config * : range = 2000-3999

        idmap config ARBEITSGRUPPE:backend = ad
        idmap config ARBEITSGRUPPE:range = 10000-9999999

        # until 4.6.0
        idmap config ARBEITSGRUPPE:schema_mode = rfc2307
        winbind nss info = rfc2307
        # new parameter:
        # idmap config ARBEITSGRUPPE:unix_nss_info = yes

        username map = /etc/samba/user.map

        winbind use default domain = Yes
        winbind refresh tickets = Yes

        load printers = No
        printcap name = /dev/null

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

-

Additional info:

same user worked fine until today

we restarted the DCs and winbindd on DM ... killed smbd  etc etc

More information about the samba mailing list