[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN

Luc Lalonde luc.lalonde at polymtl.ca
Tue Jul 9 18:21:58 UTC 2024 

I get the same error using 'net ads join'

Here are my sanitized config files:

############## begin /etc/krb5.conf ####################

includedir /etc/krb5.conf.d/

[logging]
  default = SYSLOG:INFO:DAEMON
  kdc = SYSLOG:INFO:DAEMON
  admin_server = SYSLOG:INFO:DAEMON

[libdefaults]
default_realm =EXAMPLE.ORG
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 10h
  renew_lifetime = 7d
  forwardable = true
  allow_weak_crypto = true
  default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
des-cbc-md5
  default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
des-cbc-md5
udp_preference_limit = 0

[realms]
  EXAMPLE.OEG = {
    default_domain = EXAMPLE.ORG
    master_kdc= DC1.EXAMPLE.ORG
    kdc=DC1.EXAMPLE.ORG
    kdc=DC2.EXAMPLE.ORG
    admin_server=DC1.EXAMPLE.ORG
  }

[domain_realm]
  EXAMPLE.ORG = EXAMPLE.ORG
  .ALT.ORG = EXAMPLE.ORG
  ALT.ORG = EXAMPLE.ORG
  .EXAMPLE.ORG = EXAMPLE.ORG

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 10h
    renew_lifetime = 7d
    forwardable = true
    krb4_convert = false
    validate = true
  }

[plugins]
  localauth = {
    module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
    enable_only = winbind
  }
############## end /etc/krb5.conf #####################

############## begin /etc/samba/smb.conf #####################

[global]
         server string = Fileserver
         workgroup = EXAMPLE
         realm = EXAMPLE.ORG
         netbios name = FILESERVERNAME
         security = ADS
         local master = no
         domain master = no
         preferred master = no
         idmap config *:backend = tdb
         idmap config *:range = 200-999
         idmap config GIGL: backend = ad
         idmap config GIGL:schema_mode = rfc2307
         idmap config GIGL:range = 1000-999999
         idmap config GIGL : unix_nss_info = yes
         idmap config GIGL : unix_primary_group = yes
         winbind use default domain = yes
         winbind expand groups = 2
         winbind refresh tickets = Yes
         client signing = mandatory
         kerberos method = secrets and keytab
         dedicated keytab file = /etc/krb5.keytab
         username map = /etc/samba/user.map
         log file = /var/log/samba/%m.log
         smb ports = 445 139
         acl allow execute always = True
         printing = cups
         cups server = cups.example.org
         load printers = no
         map to guest = Bad User
         vfs objects = acl_xattr
         map acl inherit = yes

[homes]
         comment = homes
         read only = No
         directory mask = 0700
         force directory mode = 0700
         create mask = 0600
         force create mode = 0600
         browseable = No
         valid users = %S

[software$]
         comment = Software share
         path = /store1/shares/software
         write list = @admingroup
         force user = root
         force group = admingroup
         valid users = root, at admingroup
         read only = No
         create mask = 0660
         directory mask = 0770

############## end /etc/samba/smb.conf #####################

On 7/9/24 1:29 PM, Rowland Penny via samba wrote:
> On Tue, 9 Jul 2024 11:31:04 -0400
> Luc Lalonde via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> This problem has come back for me and I can't seem to get around it.
>>
>> When I try to access a share, I get this error:
>>
>> session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
>>
>> Here's what I have in the logs (samba-4.20.1-1.el9.x86_64):
>>
>> [2024/07/09 11:22:26.747013,  3]
>> ../../auth/kerberos/gssapi_pac.c:120(gssapi_obtain_pac_blob)
>>     gssapi_obtain_pac_blob: obtaining PAC via GSSAPI
>> gss_get_name_attribute failed: The operation or option is not
>> available or unsupported: No such file or directory
>> [2024/07/09 11:22:26.747103,  1]
>> ../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac)
>>     gensec_generate_session_info_pac: Unable to find PAC in ticket
>> from username at EXAMPLE.ORG, failing to allow access
>>
>> This file server is joined to an Active Directory server and I'm able
>> to use Winbind to authenticate users without any problems.. NFS
>> mounts are working too.
>>
>> I've even removed the keytab, and machine credentials in AD and
>> rejoined... same problem.
>>
>> Here's the command I used:
>>
>> realm join --membership-software=samba --computer-ou=OU=Services
>> --client-software=winbind example.org
>>
>> Any ideas?
> Yes, stop using a freeipa command to join AD, use this instead:
>
> net ads join -U administrator
>
> Also, have you setup the smb.conf, /etc/krb5.conf etc correctly ?
>
> Rowland
>
>
-- 
Luc Lalonde, analyste
-----------------------------
Département de génie informatique et génie logiciel:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------

More information about the samba mailing list