[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
Rowland Penny
rpenny at samba.org
Tue Jul 9 18:35:07 UTC 2024
On Tue, 9 Jul 2024 14:21:58 -0400
Luc Lalonde <luc.lalonde at polymtl.ca> wrote:
> I get the same error using 'net ads join'
>
> Here are my sanitized config files:
>
> ############## begin /etc/krb5.conf ####################
>
> includedir /etc/krb5.conf.d/
Samba does not like the 'includedir' line and doesn't require most of
the other lines, try this /etc/krb5.conf:
[libdefaults]
default_realm = EXAMPLE.ORG
dns_lookup_kdc = false
dns_lookup_realm = true
[realms]
EXAMPLE.ORG = {
default_domain = example.org
}
[domain_realm]
SHORT_HOSTNAME_IN_UPPERCASE = EXAMPLE.ORG
Replace 'SHORT_HOSTNAME_IN_UPPERCASE' with the computers short hostname
>
> ############## end /etc/krb5.conf #####################
>
> ############## begin /etc/samba/smb.conf #####################
>
> [global]
> server string = Fileserver
> workgroup = EXAMPLE
> realm = EXAMPLE.ORG
> netbios name = FILESERVERNAME
> security = ADS
> local master = no
> domain master = no
> preferred master = no
> idmap config *:backend = tdb
> idmap config *:range = 200-999
Why so low a range ?
> idmap config GIGL: backend = ad
> idmap config GIGL:schema_mode = rfc2307
> idmap config GIGL:range = 1000-999999
> idmap config GIGL : unix_nss_info = yes
> idmap config GIGL : unix_primary_group = yes
I hope you never need to have any local Unix users, because your ranges
stop them.
> winbind use default domain = yes
> winbind expand groups = 2
> winbind refresh tickets = Yes
> client signing = mandatory
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
> username map = /etc/samba/user.map
> log file = /var/log/samba/%m.log
> smb ports = 445 139
> acl allow execute always = True
> printing = cups
> cups server = cups.example.org
> load printers = no
> map to guest = Bad User
> vfs objects = acl_xattr
> map acl inherit = yes
>
> [homes]
> comment = homes
> read only = No
> directory mask = 0700
> force directory mode = 0700
> create mask = 0600
> force create mode = 0600
> browseable = No
> valid users = %S
>
> [software$]
> comment = Software share
> path = /store1/shares/software
> write list = @admingroup
> force user = root
> force group = admingroup
> valid users = root, at admingroup
> read only = No
> create mask = 0660
> directory mask = 0770
You do not need all those lines, not if you use acl_xattr correctly.
Rowland
More information about the samba
mailing list