[Samba] Failed to finalize nt token
Denis Cardon
dcardon at tranquil.it
Tue Jan 16 14:47:35 UTC 2018
Hi Stefan,
> I am googling around for an issue and can't figure it out so far.
>
> Status:
>
> 2 Debian 9.3 ADCs with samba-4.6.12 each.
>
> 1 Gentoo Samba Domain Member server "main",
> Samba version 4.5.15 (we downgraded because of another issue a month ago
> or so).
>
> *one* AD user is able to log into his Windows10 PC, but doesn't get a
> network share connected.
when you specify win10, do you mean that it works properly for that same
user on a win7 workstation?
> If I test that from the DM server or the DCs via smbclient it fails as well.
>
> main # smbclient -L main -U kamleitnerl%hispw
> session setup failed: NT_STATUS_UNSUCCESSFUL
If you want to reproduce the same behavior as your workstation, you
should first kinit and then smbclient with -k:
kinit kamleitnerl
smbclient -k -L main
And by the way, until 4.7, smbclient was limited to SMB1 because of unix
extensions. If you want to have a better simulation, you should also
change the "client max protocol" parameter.
Cheers,
Denis
>
>
> maybe https://bugzilla.samba.org/show_bug.cgi?id=10604, I am not sure.
>
>
> --- log on main:
>
> Processing section "[global]"
> doing parameter security = ADS
> doing parameter workgroup = ARBEITSGRUPPE
> doing parameter realm = arbeitsgruppe.hidden-tld.at
> doing parameter log file = /var/log/samba/%m.log
> doing parameter log level = 4
> doing parameter idmap config * : backend = tdb
> doing parameter idmap config * : range = 2000-3999
> doing parameter idmap config ARBEITSGRUPPE:backend = ad
> doing parameter idmap config ARBEITSGRUPPE:range = 10000-9999999
> doing parameter idmap config ARBEITSGRUPPE:schema_mode = rfc2307
> doing parameter winbind nss info = rfc2307
> doing parameter username map = /etc/samba/user.map
> doing parameter winbind use default domain = Yes
> doing parameter winbind refresh tickets = Yes
> doing parameter load printers = No
> doing parameter printcap name = /dev/null
> doing parameter vfs objects = acl_xattr
> doing parameter map acl inherit = yes
> doing parameter store dos attributes = yes
> [2018/01/16 14:59:47.785383, 2]
> ../source3/param/loadparm.c:2685(lp_do_section)
> Processing section "[Daten]"
> doing parameter comment = Daten
> doing parameter path = /mnt/daten
> doing parameter valid users = @"ARBEITSGRUPPE\\domain users"
> doing parameter read only = No
> doing parameter create mask = 0660
> doing parameter directory mask = 0770
> [2018/01/16 14:59:47.785477, 2]
> ../source3/param/loadparm.c:2685(lp_do_section)
> Processing section "[Scans_Plotter]"
> doing parameter comment = Scans vom Plotter
> doing parameter path = /mnt/daten/Allgemeines/_Scans/Plotter
> doing parameter valid users = @"ARBEITSGRUPPE\\domain users"
> doing parameter read only = No
> doing parameter create mask = 0660
> doing parameter directory mask = 0770
> [2018/01/16 14:59:47.785568, 4]
> ../source3/param/loadparm.c:3780(lp_load_ex)
> pm_process() returned Yes
> [2018/01/16 14:59:47.785588, 3]
> ../source3/param/loadparm.c:1585(lp_add_ipc)
> adding IPC service
> [2018/01/16 14:59:47.786003, 1]
> ../source3/auth/token_util.c:430(add_local_groups)
> SID S-1-5-21-2777655458-4002997014-749295002-3147 -> getpwuid(10072)
> failed
> [2018/01/16 14:59:47.786025, 3]
> ../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
> Failed to finalize nt token
> [2018/01/16 14:59:47.786035, 1]
> ../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
> Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
> [2018/01/16 14:59:47.786082, 3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:134
> [2018/01/16 14:59:47.786504, 4]
> ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2018/01/16 14:59:47.786528, 4]
> ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2018/01/16 14:59:47.786538, 4]
> ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2018/01/16 14:59:47.786549, 4]
> ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2018/01/16 14:59:47.786663, 3]
> ../source3/smbd/server_exit.c:246(exit_server_common)
> Server exit (NT_STATUS_CONNECTION_RESET)
>
> -
>
> main # wbinfo --sid-to-uid S-1-5-21-2777655458-4002997014-749295002-3147
> 10072
>
> (works)
>
> main # wbinfo -i kamleitnerl
> kamleitnerl:*:10072:10513::/home/kamleitnerl:/bin/false
>
> (works)
>
> We created a 2nd user kamleitnerl2, with this user things work (but we
> need the 1st one to be able to keep the windows profile etc)
>
> -
>
> for reference: smb.conf of DM:
>
> [global]
> security = ADS
> workgroup = ARBEITSGRUPPE
> realm = arbeitsgruppe.hidden-tld.at
> log file = /var/log/samba/%m.log
> log level = 4
>
> idmap config * : backend = tdb
> idmap config * : range = 2000-3999
>
> idmap config ARBEITSGRUPPE:backend = ad
> idmap config ARBEITSGRUPPE:range = 10000-9999999
>
> # until 4.6.0
> idmap config ARBEITSGRUPPE:schema_mode = rfc2307
> winbind nss info = rfc2307
> # new parameter:
> # idmap config ARBEITSGRUPPE:unix_nss_info = yes
>
> username map = /etc/samba/user.map
>
> winbind use default domain = Yes
> winbind refresh tickets = Yes
>
> load printers = No
> printcap name = /dev/null
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> -
>
> Additional info:
>
> same user worked fine until today
>
> we restarted the DCs and winbindd on DM ... killed smbd etc etc
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list