[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
Luc Lalonde
luc.lalonde at polymtl.ca
Tue Jul 9 19:18:58 UTC 2024
Strangely enough, after multiple changes and join/re-join, I now get a
different message:
tree connect failed: NT_STATUS_NO_SUCH_USER
But what's really weird, I don't get the error when I 'smbclient' to a
user's home. I get the error when I try to connect to another share
specified in smb.conf.
I've simplified my config files as per your suggestions.
Also, I'm able to log into the system with Winbind without any problems,
and NFS shares are working.
On 7/9/24 2:35 PM, Rowland Penny via samba wrote:
> On Tue, 9 Jul 2024 14:21:58 -0400
> Luc Lalonde <luc.lalonde at polymtl.ca> wrote:
>
>> I get the same error using 'net ads join'
>>
>> Here are my sanitized config files:
>>
>> ############## begin /etc/krb5.conf ####################
>>
>> includedir /etc/krb5.conf.d/
> Samba does not like the 'includedir' line and doesn't require most of
> the other lines, try this /etc/krb5.conf:
>
> [libdefaults]
> default_realm = EXAMPLE.ORG
> dns_lookup_kdc = false
> dns_lookup_realm = true
>
> [realms]
> EXAMPLE.ORG = {
> default_domain = example.org
> }
>
> [domain_realm]
> SHORT_HOSTNAME_IN_UPPERCASE = EXAMPLE.ORG
>
> Replace 'SHORT_HOSTNAME_IN_UPPERCASE' with the computers short hostname
>
>> ############## end /etc/krb5.conf #####################
>>
>> ############## begin /etc/samba/smb.conf #####################
>>
>> [global]
>> server string = Fileserver
>> workgroup = EXAMPLE
>> realm = EXAMPLE.ORG
>> netbios name = FILESERVERNAME
>> security = ADS
>> local master = no
>> domain master = no
>> preferred master = no
>> idmap config *:backend = tdb
>> idmap config *:range = 200-999
> Why so low a range ?
>
>> idmap config GIGL: backend = ad
>> idmap config GIGL:schema_mode = rfc2307
>> idmap config GIGL:range = 1000-999999
>> idmap config GIGL : unix_nss_info = yes
>> idmap config GIGL : unix_primary_group = yes
> I hope you never need to have any local Unix users, because your ranges
> stop them.
>
>> winbind use default domain = yes
>> winbind expand groups = 2
>> winbind refresh tickets = Yes
>> client signing = mandatory
>> kerberos method = secrets and keytab
>> dedicated keytab file = /etc/krb5.keytab
>> username map = /etc/samba/user.map
>> log file = /var/log/samba/%m.log
>> smb ports = 445 139
>> acl allow execute always = True
>> printing = cups
>> cups server = cups.example.org
>> load printers = no
>> map to guest = Bad User
>> vfs objects = acl_xattr
>> map acl inherit = yes
>>
>> [homes]
>> comment = homes
>> read only = No
>> directory mask = 0700
>> force directory mode = 0700
>> create mask = 0600
>> force create mode = 0600
>> browseable = No
>> valid users = %S
>>
>> [software$]
>> comment = Software share
>> path = /store1/shares/software
>> write list = @admingroup
>> force user = root
>> force group = admingroup
>> valid users = root, at admingroup
>> read only = No
>> create mask = 0660
>> directory mask = 0770
> You do not need all those lines, not if you use acl_xattr correctly.
>
> Rowland
>
--
Luc Lalonde, analyste
-----------------------------
Département de génie informatique et génie logiciel:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------
More information about the samba
mailing list