samba - Jul 2024 - session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN

Hello,

This problem has come back for me and I can't seem to get around it.

When I try to access a share, I get this error:

session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN

Here's what I have in the logs (samba-4.20.1-1.el9.x86_64):

[2024/07/09 11:22:26.747013,? 3] 
../../auth/kerberos/gssapi_pac.c:120(gssapi_obtain_pac_blob)
 ? gssapi_obtain_pac_blob: obtaining PAC via GSSAPI 
gss_get_name_attribute failed: The operation or option is not available 
or unsupported: No such file or directory
[2024/07/09 11:22:26.747103,? 1] 
../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac)
 ? gensec_generate_session_info_pac: Unable to find PAC in ticket from 
username at EXAMPLE.ORG, failing to allow access

This file server is joined to an Active Directory server and I'm able to 
use Winbind to authenticate users without any problems.. NFS mounts are 
working too.

I've even removed the keytab, and machine credentials in AD and 
rejoined... same problem.

Here's the command I used:

realm join --membership-software=samba --computer-ou=OU=Services 
--client-software=winbind example.org

Any ideas?

Thank You!

-- 
Luc Lalonde, analyste
-----------------------------
D?partement de g?nie informatique et g?nie logiciel:
?cole polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------

On 09.07.2024 17:31, Luc Lalonde via samba wrote:
> Hello,
>
> This problem has come back for me and I can't seem to get around it.
>
> When I try to access a share, I get this error:
>
> session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
>
> Here's what I have in the logs (samba-4.20.1-1.el9.x86_64):
>
> [2024/07/09 11:22:26.747013,? 3] 
> ../../auth/kerberos/gssapi_pac.c:120(gssapi_obtain_pac_blob)
> ? gssapi_obtain_pac_blob: obtaining PAC via GSSAPI 
> gss_get_name_attribute failed: The operation or option is not 
> available or unsupported: No such file or directory
> [2024/07/09 11:22:26.747103,? 1] 
> ../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac)
> ? gensec_generate_session_info_pac: Unable to find PAC in ticket from 
> username at EXAMPLE.ORG, failing to allow access
>
> This file server is joined to an Active Directory server and I'm able 
> to use Winbind to authenticate users without any problems.. NFS mounts 
> are working too.
>
> I've even removed the keytab, and machine credentials in AD and 
> rejoined... same problem.
>
> Here's the command I used:
>
> realm join --membership-software=samba --computer-ou=OU=Services 
> --client-software=winbind example.org
>
> Any ideas?
>
> Thank You!
>
Hi Luc,

The realm command is not a Samba command AFAIK. sssd problem?

Make sure you have winbind installed and configured and sssd 
uninstalled. Also check that nscd is not installed, or at least not active.

Read 
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Joining_the_Domain

Best regards,

Peter

On Tue, 9 Jul 2024 11:31:04 -0400
Luc Lalonde via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> This problem has come back for me and I can't seem to get around it.
> 
> When I try to access a share, I get this error:
> 
> session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
> 
> Here's what I have in the logs (samba-4.20.1-1.el9.x86_64):
> 
> [2024/07/09 11:22:26.747013,? 3] 
> ../../auth/kerberos/gssapi_pac.c:120(gssapi_obtain_pac_blob)
>  ? gssapi_obtain_pac_blob: obtaining PAC via GSSAPI 
> gss_get_name_attribute failed: The operation or option is not
> available or unsupported: No such file or directory
> [2024/07/09 11:22:26.747103,? 1] 
> ../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac)
>  ? gensec_generate_session_info_pac: Unable to find PAC in ticket
> from username at EXAMPLE.ORG, failing to allow access
> 
> This file server is joined to an Active Directory server and I'm able
> to use Winbind to authenticate users without any problems.. NFS
> mounts are working too.
> 
> I've even removed the keytab, and machine credentials in AD and 
> rejoined... same problem.
> 
> Here's the command I used:
> 
> realm join --membership-software=samba --computer-ou=OU=Services 
> --client-software=winbind example.org
> 
> Any ideas?
Yes, stop using a freeipa command to join AD, use this instead:

net ads join -U administrator

Also, have you setup the smb.conf, /etc/krb5.conf etc correctly ?

Rowland