[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
Luc Lalonde
Luc.Lalonde at polymtl.ca
Tue Jul 26 19:43:29 UTC 2022
Hello all,
I'm having issues configuring a new Samba server on a Debian-11
instance (Samba 4.13.13).
What's working:
* Winbind authentification
* NFSv4 exports using gss/krb5
And not working:
* Samba user homes exports
Here's the error when I try to access the share:
smbclient //fs1.example.com/wadmin -U -g EXAMPLE.COM
Password for [EXAMPLE\wadmin]:
session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
Here's my smb.conf:
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
netbios name = FS1
security = ADS
local master = no
domain master = no
preferred master = no
idmap config *:backend = tdb
idmap config *:range = 200-999
idmap config GIGL:backend = ad
idmap config GIGL:schema_mode = rfc2307
idmap config GIGL:range = 1000-999999
idmap config GIGL : read only = yes
idmap config GIGL : unix_nss_info = yes
idmap config GIGL : unix_primary_group = yes
winbind nss info = rfc2307
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
winbind enum groups = Yes
winbind enum users = Yes
winbind offline logon = yes
client signing = mandatory
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
username map = /etc/samba/user.map
log file = /var/log/samba/%m.log
log level = 1 auth:5 winbind:5
[homes]
comment = homes
read only = No
directory mask = 0700
force directory mode = 0700
create mask = 0600
force create mode = 0600
browseable = No
valid users = %S
follow symlinks = yes
[profiles]
comment = Users Profile Directories
path = /store/profiles
store dos attributes = Yes
browseable = no
read only = no
create mask = 0600
directory mask = 0700
csc policy = disable
vfs objects = acl_xattr
Here's what I see in the logs:
[2022/07/26 14:40:17.574688, 2]
../../auth/kerberos/gssapi_pac.c:168(gssapi_obtain_pac_blob)
obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal OID)
failed: Miscellaneous failure (see text): Ticket have not authorization
data
[2022/07/26 14:40:17.574753, 1]
../../auth/gensec/gensec_util.c:68(gensec_generate_session_info_pac)
gensec_generate_session_info_pac: Unable to find PAC in ticket from
wadmin at EXAMPLE.COM, failing to allow access
And here's what I have in my /etc/krb5.conf:
[logging]
default = SYSLOG:INFO:DAEMON
kdc = SYSLOG:INFO:DAEMON
admin_server = SYSLOG:INFO:DAEMON
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 10h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
[realms]
EXAMPLE.COM = {
default_domain = EXAMPLE.COM
master_kdc= DC1.EXAMPLE.COM
kdc=DC1.EXAMPLE.COM
kdc=DC2.EXAMPLE.COM
admin_server=DC1.EXAMPLE.COM
}
[domain_realm]
EXAMPLE.COM = EXAMPLE.COM
.dgi.polymtl.ca = EXAMPLE.COM
dgi.polymtl.ca = EXAMPLE.COM
.EXAMPLE.COM = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 10h
renew_lifetime = 7d
forwardable = true
krb4_convert = false
validate = true
}
And here's my /etc/nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
initgroups: files
hosts: files dns
Best regards.
--
Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20220726/2787c89e/OpenPGP_signature.sig>
More information about the samba
mailing list