[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
Rowland Penny
rpenny at samba.org
Tue Jul 9 17:29:15 UTC 2024
On Tue, 9 Jul 2024 11:31:04 -0400
Luc Lalonde via samba <samba at lists.samba.org> wrote:
> Hello,
>
> This problem has come back for me and I can't seem to get around it.
>
> When I try to access a share, I get this error:
>
> session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
>
> Here's what I have in the logs (samba-4.20.1-1.el9.x86_64):
>
> [2024/07/09 11:22:26.747013, 3]
> ../../auth/kerberos/gssapi_pac.c:120(gssapi_obtain_pac_blob)
> gssapi_obtain_pac_blob: obtaining PAC via GSSAPI
> gss_get_name_attribute failed: The operation or option is not
> available or unsupported: No such file or directory
> [2024/07/09 11:22:26.747103, 1]
> ../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac)
> gensec_generate_session_info_pac: Unable to find PAC in ticket
> from username at EXAMPLE.ORG, failing to allow access
>
> This file server is joined to an Active Directory server and I'm able
> to use Winbind to authenticate users without any problems.. NFS
> mounts are working too.
>
> I've even removed the keytab, and machine credentials in AD and
> rejoined... same problem.
>
> Here's the command I used:
>
> realm join --membership-software=samba --computer-ou=OU=Services
> --client-software=winbind example.org
>
> Any ideas?
Yes, stop using a freeipa command to join AD, use this instead:
net ads join -U administrator
Also, have you setup the smb.conf, /etc/krb5.conf etc correctly ?
Rowland
More information about the samba
mailing list