[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN

Tue Jul 9 18:35:07 UTC 2024

On Tue, 9 Jul 2024 14:21:58 -0400
Luc Lalonde <luc.lalonde at polymtl.ca> wrote:

> I get the same error using 'net ads join'
> 
> Here are my sanitized config files:
> 
> ############## begin /etc/krb5.conf ####################
> 
> includedir /etc/krb5.conf.d/

Samba does not like the 'includedir' line and doesn't require most of
the other lines, try this /etc/krb5.conf:

[libdefaults]
  default_realm = EXAMPLE.ORG
  dns_lookup_kdc = false
  dns_lookup_realm = true

[realms]
	EXAMPLE.ORG = {
		default_domain = example.org
	}

[domain_realm]
	SHORT_HOSTNAME_IN_UPPERCASE = EXAMPLE.ORG

Replace 'SHORT_HOSTNAME_IN_UPPERCASE' with the computers short hostname

> 

> ############## end /etc/krb5.conf #####################
> 
> ############## begin /etc/samba/smb.conf #####################
> 
> [global]
>          server string = Fileserver
>          workgroup = EXAMPLE
>          realm = EXAMPLE.ORG
>          netbios name = FILESERVERNAME
>          security = ADS
>          local master = no
>          domain master = no
>          preferred master = no
>          idmap config *:backend = tdb
>          idmap config *:range = 200-999

Why so low a range ?

>          idmap config GIGL: backend = ad
>          idmap config GIGL:schema_mode = rfc2307
>          idmap config GIGL:range = 1000-999999
>          idmap config GIGL : unix_nss_info = yes
>          idmap config GIGL : unix_primary_group = yes

I hope you never need to have any local Unix users, because your ranges
stop them.

>          winbind use default domain = yes
>          winbind expand groups = 2
>          winbind refresh tickets = Yes
>          client signing = mandatory
>          kerberos method = secrets and keytab
>          dedicated keytab file = /etc/krb5.keytab
>          username map = /etc/samba/user.map
>          log file = /var/log/samba/%m.log
>          smb ports = 445 139
>          acl allow execute always = True
>          printing = cups
>          cups server = cups.example.org
>          load printers = no
>          map to guest = Bad User
>          vfs objects = acl_xattr
>          map acl inherit = yes
> 
> [homes]
>          comment = homes
>          read only = No
>          directory mask = 0700
>          force directory mode = 0700
>          create mask = 0600
>          force create mode = 0600
>          browseable = No
>          valid users = %S
> 
> [software$]
>          comment = Software share
>          path = /store1/shares/software
>          write list = @admingroup
>          force user = root
>          force group = admingroup
>          valid users = root, at admingroup
>          read only = No
>          create mask = 0660
>          directory mask = 0770

You do not need all those lines, not if you use acl_xattr correctly.

Rowland