[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
Rowland Penny
rpenny at samba.org
Tue Jul 9 18:15:59 UTC 2024
On Tue, 9 Jul 2024 18:29:15 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Tue, 9 Jul 2024 11:31:04 -0400
> Luc Lalonde via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > This problem has come back for me and I can't seem to get around it.
> >
> > When I try to access a share, I get this error:
> >
> > session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
> >
> > Here's what I have in the logs (samba-4.20.1-1.el9.x86_64):
> >
> > [2024/07/09 11:22:26.747013, 3]
> > ../../auth/kerberos/gssapi_pac.c:120(gssapi_obtain_pac_blob)
> > gssapi_obtain_pac_blob: obtaining PAC via GSSAPI
> > gss_get_name_attribute failed: The operation or option is not
> > available or unsupported: No such file or directory
> > [2024/07/09 11:22:26.747103, 1]
> > ../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac)
> > gensec_generate_session_info_pac: Unable to find PAC in ticket
> > from username at EXAMPLE.ORG, failing to allow access
> >
> > This file server is joined to an Active Directory server and I'm
> > able to use Winbind to authenticate users without any problems.. NFS
> > mounts are working too.
> >
> > I've even removed the keytab, and machine credentials in AD and
> > rejoined... same problem.
> >
> > Here's the command I used:
> >
> > realm join --membership-software=samba --computer-ou=OU=Services
> > --client-software=winbind example.org
> >
> > Any ideas?
>
> Yes, stop using a freeipa command to join AD, use this instead:
>
> net ads join -U administrator
>
> Also, have you setup the smb.conf, /etc/krb5.conf etc correctly ?
>
> Rowland
>
>
Adding to the above, are you running winbind ? Also have you turned off
sssd ?
Rowland
More information about the samba
mailing list