thr3ads.net - samba - [Samba] session setup failed: NT_STATUS_NO_IMPERSONATION

If this information is useful, please help other people find it:
Share via:

Luc Lalonde

2022-Jul-26 19:43 UTC

[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN

Hello all,

I'm having issues configuring a new? Samba server on a Debian-11 
instance (Samba 4.13.13).

What's working:

  * Winbind authentification
  * NFSv4 exports using gss/krb5

And not working:

  * Samba user homes exports

Here's the error when I try to access the share:

smbclient //fs1.example.com/wadmin -U? -g EXAMPLE.COM
Password for [EXAMPLE\wadmin]:
session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN

Here's my smb.conf:

[global]
 ?? workgroup = EXAMPLE
 ?? realm = EXAMPLE.COM
 ?? netbios name = FS1
 ?? security = ADS
 ?? local master = no
 ?? domain master = no
 ?? preferred master = no
 ?? idmap config *:backend = tdb
 ?? idmap config *:range = 200-999
 ?? idmap config GIGL:backend = ad
 ?? idmap config GIGL:schema_mode = rfc2307
 ?? idmap config GIGL:range = 1000-999999
 ?? idmap config GIGL : read only = yes
 ?? idmap config GIGL : unix_nss_info = yes
 ?? idmap config GIGL : unix_primary_group = yes
 ?? winbind nss info = rfc2307
 ?? winbind use default domain = yes
 ?? winbind expand groups = 2
 ?? winbind refresh tickets = Yes
 ?? winbind enum groups = Yes
 ?? winbind enum users = Yes
 ?? winbind offline logon = yes
 ?? client signing = mandatory
 ?? kerberos method = secrets and keytab
 ?? dedicated keytab file = /etc/krb5.keytab
 ?? username map = /etc/samba/user.map
 ?? log file = /var/log/samba/%m.log
 ?? log level = 1 auth:5 winbind:5

[homes]
 ??? comment = homes
 ??? read only = No
 ??? directory mask = 0700
 ??? force directory mode = 0700
 ??? create mask = 0600
 ??? force create mode = 0600
 ??? browseable = No
 ??? valid users = %S
 ??? follow symlinks = yes

[profiles]
 ??? comment = Users Profile Directories
 ??? path = /store/profiles
 ??? store dos attributes = Yes
 ??? browseable = no
 ??? read only = no
 ??? create mask = 0600
 ??? directory mask = 0700
 ??? csc policy = disable
 ??? vfs objects = acl_xattr

Here's what I see in the logs:

[2022/07/26 14:40:17.574688,? 2] 
../../auth/kerberos/gssapi_pac.c:168(gssapi_obtain_pac_blob)
 ? obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal OID) 
failed:? Miscellaneous failure (see text): Ticket have not authorization 
data
[2022/07/26 14:40:17.574753,? 1] 
../../auth/gensec/gensec_util.c:68(gensec_generate_session_info_pac)
 ? gensec_generate_session_info_pac: Unable to find PAC in ticket from 
wadmin at EXAMPLE.COM, failing to allow access

And here's what I have in my /etc/krb5.conf:

[logging]
 ?default = SYSLOG:INFO:DAEMON
 ?kdc = SYSLOG:INFO:DAEMON
 ?admin_server = SYSLOG:INFO:DAEMON

[libdefaults]
 ?default_realm = EXAMPLE.COM
 ?dns_lookup_realm = false
 ?dns_lookup_kdc = false
 ?ticket_lifetime = 10h
 ?renew_lifetime = 7d
 ?forwardable = true
 ?allow_weak_crypto = true
 ?default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
des-cbc-md5
 ?default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
des-cbc-md5

[realms]
 ?EXAMPLE.COM = {
 ?? default_domain = EXAMPLE.COM
 ?? master_kdc= DC1.EXAMPLE.COM
 ?? kdc=DC1.EXAMPLE.COM
 ?? kdc=DC2.EXAMPLE.COM
 ?? admin_server=DC1.EXAMPLE.COM
 ?}

[domain_realm]
 ?EXAMPLE.COM = EXAMPLE.COM
 ?.dgi.polymtl.ca = EXAMPLE.COM
 ?dgi.polymtl.ca = EXAMPLE.COM
 ?.EXAMPLE.COM = EXAMPLE.COM

[appdefaults]
 ?pam = {
 ?? debug = false
 ?? ticket_lifetime = 10h
 ?? renew_lifetime = 7d
 ?? forwardable = true
 ?? krb4_convert = false
 ?? validate = true
 ?}

And here's my /etc/nsswitch.conf

passwd:???? files winbind
shadow:???? files
group:????? files winbind
initgroups: files
hosts:????? files dns

Best regards.

-- 
Luc Lalonde, analyste
-----------------------------
D?partement de g?nie informatique:
?cole polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20220726/2787c89e/OpenPGP_signature.sig>

Andrew Bartlett

2022-Jul-26 20:06 UTC

head link

[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN

On Tue, 2022-07-26 at 15:43 -0400, Luc Lalonde via samba
wrote:> Hello all,
> 
> I'm having issues configuring a new  Samba server on a Debian-11 
> instance (Samba 4.13.13).
> 
> What's working:
> 
>   * Winbind authentification
>   * NFSv4 exports using gss/krb5
> 
> And not working:
> 
>   * Samba user homes exports
> 
> Here's the error when I try to access the share:
> 
> smbclient //fs1.example.com/wadmin -U  -g EXAMPLE.COM
> Password for [EXAMPLE\wadmin]:
> session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
> 
This means you have configured the AD account that you have created
manually for Samba to refuse to send Samba a Kerberos PAC.

A normal domain join should work.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

samba - Jul 2022 - session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN

[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN

[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN