Andrew Bartlett
2022-Jul-26 20:06 UTC
[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
On Tue, 2022-07-26 at 15:43 -0400, Luc Lalonde via samba wrote:> Hello all, > > I'm having issues configuring a new Samba server on a Debian-11 > instance (Samba 4.13.13). > > What's working: > > * Winbind authentification > * NFSv4 exports using gss/krb5 > > And not working: > > * Samba user homes exports > > Here's the error when I try to access the share: > > smbclient //fs1.example.com/wadmin -U -g EXAMPLE.COM > Password for [EXAMPLE\wadmin]: > session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN >This means you have configured the AD account that you have created manually for Samba to refuse to send Samba a Kerberos PAC. A normal domain join should work. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Luc Lalonde
2022-Jul-26 20:45 UTC
[Samba] session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
Wow, that did the trick!?? I historically joined using 'msktutil' with the '--no-pac' option for some reason that I can't recall. I retried the same command omitting this option and everything is working great now. Why did this work in the past and it no longer works now? Thanks On 2022-07-26 16:06, Andrew Bartlett wrote:> On Tue, 2022-07-26 at 15:43 -0400, Luc Lalonde via samba wrote: >> Hello all, >> >> I'm having issues configuring a new Samba server on a Debian-11 >> instance (Samba 4.13.13). >> >> What's working: >> >> * Winbind authentification >> * NFSv4 exports using gss/krb5 >> >> And not working: >> >> * Samba user homes exports >> >> Here's the error when I try to access the share: >> >> smbclient //fs1.example.com/wadmin -U -g EXAMPLE.COM >> Password for [EXAMPLE\wadmin]: >> session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN >> > This means you have configured the AD account that you have created > manually for Samba to refuse to send Samba a Kerberos PAC. > > A normal domain join should work. > > Andrew Bartlett >-- Luc Lalonde, analyste ----------------------------- D?partement de g?nie informatique: ?cole polytechnique de MTL (514) 340-4711 x5049 Luc.Lalonde at polymtl.ca ----------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20220726/99570c54/OpenPGP_signature.sig>