[Samba] Failed to finalize nt token
Stefan G. Weichinger
lists at xunil.at
Tue Jan 16 14:20:04 UTC 2018
I am googling around for an issue and can't figure it out so far.
Status:
2 Debian 9.3 ADCs with samba-4.6.12 each.
1 Gentoo Samba Domain Member server "main",
Samba version 4.5.15 (we downgraded because of another issue a month ago
or so).
*one* AD user is able to log into his Windows10 PC, but doesn't get a
network share connected.
If I test that from the DM server or the DCs via smbclient it fails as well.
main # smbclient -L main -U kamleitnerl%hispw
session setup failed: NT_STATUS_UNSUCCESSFUL
maybe https://bugzilla.samba.org/show_bug.cgi?id=10604, I am not sure.
--- log on main:
Processing section "[global]"
doing parameter security = ADS
doing parameter workgroup = ARBEITSGRUPPE
doing parameter realm = arbeitsgruppe.hidden-tld.at
doing parameter log file = /var/log/samba/%m.log
doing parameter log level = 4
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 2000-3999
doing parameter idmap config ARBEITSGRUPPE:backend = ad
doing parameter idmap config ARBEITSGRUPPE:range = 10000-9999999
doing parameter idmap config ARBEITSGRUPPE:schema_mode = rfc2307
doing parameter winbind nss info = rfc2307
doing parameter username map = /etc/samba/user.map
doing parameter winbind use default domain = Yes
doing parameter winbind refresh tickets = Yes
doing parameter load printers = No
doing parameter printcap name = /dev/null
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = yes
doing parameter store dos attributes = yes
[2018/01/16 14:59:47.785383, 2]
../source3/param/loadparm.c:2685(lp_do_section)
Processing section "[Daten]"
doing parameter comment = Daten
doing parameter path = /mnt/daten
doing parameter valid users = @"ARBEITSGRUPPE\\domain users"
doing parameter read only = No
doing parameter create mask = 0660
doing parameter directory mask = 0770
[2018/01/16 14:59:47.785477, 2]
../source3/param/loadparm.c:2685(lp_do_section)
Processing section "[Scans_Plotter]"
doing parameter comment = Scans vom Plotter
doing parameter path = /mnt/daten/Allgemeines/_Scans/Plotter
doing parameter valid users = @"ARBEITSGRUPPE\\domain users"
doing parameter read only = No
doing parameter create mask = 0660
doing parameter directory mask = 0770
[2018/01/16 14:59:47.785568, 4]
../source3/param/loadparm.c:3780(lp_load_ex)
pm_process() returned Yes
[2018/01/16 14:59:47.785588, 3]
../source3/param/loadparm.c:1585(lp_add_ipc)
adding IPC service
[2018/01/16 14:59:47.786003, 1]
../source3/auth/token_util.c:430(add_local_groups)
SID S-1-5-21-2777655458-4002997014-749295002-3147 -> getpwuid(10072)
failed
[2018/01/16 14:59:47.786025, 3]
../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
Failed to finalize nt token
[2018/01/16 14:59:47.786035, 1]
../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
[2018/01/16 14:59:47.786082, 3]
../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:134
[2018/01/16 14:59:47.786504, 4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/01/16 14:59:47.786528, 4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/01/16 14:59:47.786538, 4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/01/16 14:59:47.786549, 4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/01/16 14:59:47.786663, 3]
../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
-
main # wbinfo --sid-to-uid S-1-5-21-2777655458-4002997014-749295002-3147
10072
(works)
main # wbinfo -i kamleitnerl
kamleitnerl:*:10072:10513::/home/kamleitnerl:/bin/false
(works)
We created a 2nd user kamleitnerl2, with this user things work (but we
need the 1st one to be able to keep the windows profile etc)
-
for reference: smb.conf of DM:
[global]
security = ADS
workgroup = ARBEITSGRUPPE
realm = arbeitsgruppe.hidden-tld.at
log file = /var/log/samba/%m.log
log level = 4
idmap config * : backend = tdb
idmap config * : range = 2000-3999
idmap config ARBEITSGRUPPE:backend = ad
idmap config ARBEITSGRUPPE:range = 10000-9999999
# until 4.6.0
idmap config ARBEITSGRUPPE:schema_mode = rfc2307
winbind nss info = rfc2307
# new parameter:
# idmap config ARBEITSGRUPPE:unix_nss_info = yes
username map = /etc/samba/user.map
winbind use default domain = Yes
winbind refresh tickets = Yes
load printers = No
printcap name = /dev/null
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
-
Additional info:
same user worked fine until today
we restarted the DCs and winbindd on DM ... killed smbd etc etc
More information about the samba
mailing list