Luc Lalonde
2024-Jul-09 15:31 UTC
[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
Hello, This problem has come back for me and I can't seem to get around it. When I try to access a share, I get this error: session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN Here's what I have in the logs (samba-4.20.1-1.el9.x86_64): [2024/07/09 11:22:26.747013,? 3] ../../auth/kerberos/gssapi_pac.c:120(gssapi_obtain_pac_blob) ? gssapi_obtain_pac_blob: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory [2024/07/09 11:22:26.747103,? 1] ../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac) ? gensec_generate_session_info_pac: Unable to find PAC in ticket from username at EXAMPLE.ORG, failing to allow access This file server is joined to an Active Directory server and I'm able to use Winbind to authenticate users without any problems.. NFS mounts are working too. I've even removed the keytab, and machine credentials in AD and rejoined... same problem. Here's the command I used: realm join --membership-software=samba --computer-ou=OU=Services --client-software=winbind example.org Any ideas? Thank You! -- Luc Lalonde, analyste ----------------------------- D?partement de g?nie informatique et g?nie logiciel: ?cole polytechnique de MTL (514) 340-4711 x5049 Luc.Lalonde at polymtl.ca -----------------------------
Peter Milesson
2024-Jul-09 15:42 UTC
[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
On 09.07.2024 17:31, Luc Lalonde via samba wrote:> Hello, > > This problem has come back for me and I can't seem to get around it. > > When I try to access a share, I get this error: > > session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN > > Here's what I have in the logs (samba-4.20.1-1.el9.x86_64): > > [2024/07/09 11:22:26.747013,? 3] > ../../auth/kerberos/gssapi_pac.c:120(gssapi_obtain_pac_blob) > ? gssapi_obtain_pac_blob: obtaining PAC via GSSAPI > gss_get_name_attribute failed: The operation or option is not > available or unsupported: No such file or directory > [2024/07/09 11:22:26.747103,? 1] > ../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac) > ? gensec_generate_session_info_pac: Unable to find PAC in ticket from > username at EXAMPLE.ORG, failing to allow access > > This file server is joined to an Active Directory server and I'm able > to use Winbind to authenticate users without any problems.. NFS mounts > are working too. > > I've even removed the keytab, and machine credentials in AD and > rejoined... same problem. > > Here's the command I used: > > realm join --membership-software=samba --computer-ou=OU=Services > --client-software=winbind example.org > > Any ideas? > > Thank You! >Hi Luc, The realm command is not a Samba command AFAIK. sssd problem? Make sure you have winbind installed and configured and sssd uninstalled. Also check that nscd is not installed, or at least not active. Read https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Joining_the_Domain Best regards, Peter
Rowland Penny
2024-Jul-09 17:29 UTC
[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
On Tue, 9 Jul 2024 11:31:04 -0400 Luc Lalonde via samba <samba at lists.samba.org> wrote:> Hello, > > This problem has come back for me and I can't seem to get around it. > > When I try to access a share, I get this error: > > session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN > > Here's what I have in the logs (samba-4.20.1-1.el9.x86_64): > > [2024/07/09 11:22:26.747013,? 3] > ../../auth/kerberos/gssapi_pac.c:120(gssapi_obtain_pac_blob) > ? gssapi_obtain_pac_blob: obtaining PAC via GSSAPI > gss_get_name_attribute failed: The operation or option is not > available or unsupported: No such file or directory > [2024/07/09 11:22:26.747103,? 1] > ../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac) > ? gensec_generate_session_info_pac: Unable to find PAC in ticket > from username at EXAMPLE.ORG, failing to allow access > > This file server is joined to an Active Directory server and I'm able > to use Winbind to authenticate users without any problems.. NFS > mounts are working too. > > I've even removed the keytab, and machine credentials in AD and > rejoined... same problem. > > Here's the command I used: > > realm join --membership-software=samba --computer-ou=OU=Services > --client-software=winbind example.org > > Any ideas?Yes, stop using a freeipa command to join AD, use this instead: net ads join -U administrator Also, have you setup the smb.conf, /etc/krb5.conf etc correctly ? Rowland
Possibly Parallel Threads
- session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
- session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
- session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
- session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
- Using samba4 with kerberos outside of an AD realm