[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
Luc Lalonde
luc.lalonde at polymtl.ca
Tue Jul 9 18:21:58 UTC 2024
I get the same error using 'net ads join'
Here are my sanitized config files:
############## begin /etc/krb5.conf ####################
includedir /etc/krb5.conf.d/
[logging]
default = SYSLOG:INFO:DAEMON
kdc = SYSLOG:INFO:DAEMON
admin_server = SYSLOG:INFO:DAEMON
[libdefaults]
default_realm =EXAMPLE.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 10h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
udp_preference_limit = 0
[realms]
EXAMPLE.OEG = {
default_domain = EXAMPLE.ORG
master_kdc= DC1.EXAMPLE.ORG
kdc=DC1.EXAMPLE.ORG
kdc=DC2.EXAMPLE.ORG
admin_server=DC1.EXAMPLE.ORG
}
[domain_realm]
EXAMPLE.ORG = EXAMPLE.ORG
.ALT.ORG = EXAMPLE.ORG
ALT.ORG = EXAMPLE.ORG
.EXAMPLE.ORG = EXAMPLE.ORG
[appdefaults]
pam = {
debug = false
ticket_lifetime = 10h
renew_lifetime = 7d
forwardable = true
krb4_convert = false
validate = true
}
[plugins]
localauth = {
module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
enable_only = winbind
}
############## end /etc/krb5.conf #####################
############## begin /etc/samba/smb.conf #####################
[global]
server string = Fileserver
workgroup = EXAMPLE
realm = EXAMPLE.ORG
netbios name = FILESERVERNAME
security = ADS
local master = no
domain master = no
preferred master = no
idmap config *:backend = tdb
idmap config *:range = 200-999
idmap config GIGL: backend = ad
idmap config GIGL:schema_mode = rfc2307
idmap config GIGL:range = 1000-999999
idmap config GIGL : unix_nss_info = yes
idmap config GIGL : unix_primary_group = yes
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
client signing = mandatory
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
username map = /etc/samba/user.map
log file = /var/log/samba/%m.log
smb ports = 445 139
acl allow execute always = True
printing = cups
cups server = cups.example.org
load printers = no
map to guest = Bad User
vfs objects = acl_xattr
map acl inherit = yes
[homes]
comment = homes
read only = No
directory mask = 0700
force directory mode = 0700
create mask = 0600
force create mode = 0600
browseable = No
valid users = %S
[software$]
comment = Software share
path = /store1/shares/software
write list = @admingroup
force user = root
force group = admingroup
valid users = root, at admingroup
read only = No
create mask = 0660
directory mask = 0770
############## end /etc/samba/smb.conf #####################
On 7/9/24 1:29 PM, Rowland Penny via samba wrote:
> On Tue, 9 Jul 2024 11:31:04 -0400
> Luc Lalonde via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> This problem has come back for me and I can't seem to get around it.
>>
>> When I try to access a share, I get this error:
>>
>> session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
>>
>> Here's what I have in the logs (samba-4.20.1-1.el9.x86_64):
>>
>> [2024/07/09 11:22:26.747013, 3]
>> ../../auth/kerberos/gssapi_pac.c:120(gssapi_obtain_pac_blob)
>> gssapi_obtain_pac_blob: obtaining PAC via GSSAPI
>> gss_get_name_attribute failed: The operation or option is not
>> available or unsupported: No such file or directory
>> [2024/07/09 11:22:26.747103, 1]
>> ../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac)
>> gensec_generate_session_info_pac: Unable to find PAC in ticket
>> from username at EXAMPLE.ORG, failing to allow access
>>
>> This file server is joined to an Active Directory server and I'm able
>> to use Winbind to authenticate users without any problems.. NFS
>> mounts are working too.
>>
>> I've even removed the keytab, and machine credentials in AD and
>> rejoined... same problem.
>>
>> Here's the command I used:
>>
>> realm join --membership-software=samba --computer-ou=OU=Services
>> --client-software=winbind example.org
>>
>> Any ideas?
> Yes, stop using a freeipa command to join AD, use this instead:
>
> net ads join -U administrator
>
> Also, have you setup the smb.conf, /etc/krb5.conf etc correctly ?
>
> Rowland
>
>
--
Luc Lalonde, analyste
-----------------------------
Département de génie informatique et génie logiciel:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------
More information about the samba
mailing list