samba - Jul 2024 - session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN

On Tue, 9 Jul 2024 11:31:04 -0400
Luc Lalonde via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> This problem has come back for me and I can't seem to get around it.
> 
> When I try to access a share, I get this error:
> 
> session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
> 
> Here's what I have in the logs (samba-4.20.1-1.el9.x86_64):
> 
> [2024/07/09 11:22:26.747013,? 3] 
> ../../auth/kerberos/gssapi_pac.c:120(gssapi_obtain_pac_blob)
>  ? gssapi_obtain_pac_blob: obtaining PAC via GSSAPI 
> gss_get_name_attribute failed: The operation or option is not
> available or unsupported: No such file or directory
> [2024/07/09 11:22:26.747103,? 1] 
> ../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac)
>  ? gensec_generate_session_info_pac: Unable to find PAC in ticket
> from username at EXAMPLE.ORG, failing to allow access
> 
> This file server is joined to an Active Directory server and I'm able
> to use Winbind to authenticate users without any problems.. NFS
> mounts are working too.
> 
> I've even removed the keytab, and machine credentials in AD and 
> rejoined... same problem.
> 
> Here's the command I used:
> 
> realm join --membership-software=samba --computer-ou=OU=Services 
> --client-software=winbind example.org
> 
> Any ideas?
Yes, stop using a freeipa command to join AD, use this instead:

net ads join -U administrator

Also, have you setup the smb.conf, /etc/krb5.conf etc correctly ?

Rowland

On Tue, 9 Jul 2024 18:29:15 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Tue, 9 Jul 2024 11:31:04 -0400
> Luc Lalonde via samba <samba at lists.samba.org> wrote:
> 
> > Hello,
> > 
> > This problem has come back for me and I can't seem to get around
it.
> > 
> > When I try to access a share, I get this error:
> > 
> > session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
> > 
> > Here's what I have in the logs (samba-4.20.1-1.el9.x86_64):
> > 
> > [2024/07/09 11:22:26.747013,? 3] 
> > ../../auth/kerberos/gssapi_pac.c:120(gssapi_obtain_pac_blob)
> >  ? gssapi_obtain_pac_blob: obtaining PAC via GSSAPI 
> > gss_get_name_attribute failed: The operation or option is not
> > available or unsupported: No such file or directory
> > [2024/07/09 11:22:26.747103,? 1] 
> > ../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac)
> >  ? gensec_generate_session_info_pac: Unable to find PAC in ticket
> > from username at EXAMPLE.ORG, failing to allow access
> > 
> > This file server is joined to an Active Directory server and I'm
> > able to use Winbind to authenticate users without any problems.. NFS
> > mounts are working too.
> > 
> > I've even removed the keytab, and machine credentials in AD and 
> > rejoined... same problem.
> > 
> > Here's the command I used:
> > 
> > realm join --membership-software=samba --computer-ou=OU=Services 
> > --client-software=winbind example.org
> > 
> > Any ideas?
> 
> Yes, stop using a freeipa command to join AD, use this instead:
> 
> net ads join -U administrator
> 
> Also, have you setup the smb.conf, /etc/krb5.conf etc correctly ?
> 
> Rowland
> 
> 
Adding to the above, are you running winbind ? Also have you turned off
sssd ?

Rowland

I get the same error using 'net ads join'

Here are my sanitized config files:

############## begin /etc/krb5.conf ####################

includedir /etc/krb5.conf.d/

[logging]
 ?default = SYSLOG:INFO:DAEMON
 ?kdc = SYSLOG:INFO:DAEMON
 ?admin_server = SYSLOG:INFO:DAEMON

[libdefaults]
default_realm =EXAMPLE.ORG
 ?dns_lookup_realm = false
 ?dns_lookup_kdc = false
 ?ticket_lifetime = 10h
 ?renew_lifetime = 7d
 ?forwardable = true
 ?allow_weak_crypto = true
 ?default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
des-cbc-md5
 ?default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
des-cbc-md5
udp_preference_limit = 0

[realms]
 ?EXAMPLE.OEG = {
 ?? default_domain = EXAMPLE.ORG
 ?? master_kdc= DC1.EXAMPLE.ORG
 ?? kdc=DC1.EXAMPLE.ORG
 ?? kdc=DC2.EXAMPLE.ORG
 ?? admin_server=DC1.EXAMPLE.ORG
 ?}

[domain_realm]
 ?EXAMPLE.ORG = EXAMPLE.ORG
 ?.ALT.ORG = EXAMPLE.ORG
 ?ALT.ORG = EXAMPLE.ORG
 ?.EXAMPLE.ORG = EXAMPLE.ORG

[appdefaults]
 ?pam = {
 ?? debug = false
 ?? ticket_lifetime = 10h
 ?? renew_lifetime = 7d
 ?? forwardable = true
 ?? krb4_convert = false
 ?? validate = true
 ?}

[plugins]
 ?localauth = {
 ?? module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
 ?? enable_only = winbind
 ?}
############## end /etc/krb5.conf #####################

############## begin /etc/samba/smb.conf #####################

[global]
 ??????? server string = Fileserver
 ??????? workgroup = EXAMPLE
 ??????? realm = EXAMPLE.ORG
 ??????? netbios name = FILESERVERNAME
 ??????? security = ADS
 ??????? local master = no
 ??????? domain master = no
 ??????? preferred master = no
 ??????? idmap config *:backend = tdb
 ??????? idmap config *:range = 200-999
 ??????? idmap config GIGL: backend = ad
 ??????? idmap config GIGL:schema_mode = rfc2307
 ??????? idmap config GIGL:range = 1000-999999
 ??????? idmap config GIGL : unix_nss_info = yes
 ??????? idmap config GIGL : unix_primary_group = yes
 ??????? winbind use default domain = yes
 ??????? winbind expand groups = 2
 ??????? winbind refresh tickets = Yes
 ??????? client signing = mandatory
 ??????? kerberos method = secrets and keytab
 ??????? dedicated keytab file = /etc/krb5.keytab
 ??????? username map = /etc/samba/user.map
 ??????? log file = /var/log/samba/%m.log
 ??????? smb ports = 445 139
 ??????? acl allow execute always = True
 ??????? printing = cups
 ??????? cups server = cups.example.org
 ??????? load printers = no
 ??????? map to guest = Bad User
 ??????? vfs objects = acl_xattr
 ??????? map acl inherit = yes

[homes]
 ??????? comment = homes
 ??????? read only = No
 ??????? directory mask = 0700
 ??????? force directory mode = 0700
 ??????? create mask = 0600
 ??????? force create mode = 0600
 ??????? browseable = No
 ??????? valid users = %S

[software$]
 ??????? comment = Software share
 ??????? path = /store1/shares/software
 ??????? write list = @admingroup
 ??????? force user = root
 ??????? force group = admingroup
 ??????? valid users = root, at admingroup
 ??????? read only = No
 ??????? create mask = 0660
 ??????? directory mask = 0770

############## end /etc/samba/smb.conf #####################

On 7/9/24 1:29 PM, Rowland Penny via samba wrote:
> On Tue, 9 Jul 2024 11:31:04 -0400
> Luc Lalonde via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> This problem has come back for me and I can't seem to get around
it.
>>
>> When I try to access a share, I get this error:
>>
>> session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
>>
>> Here's what I have in the logs (samba-4.20.1-1.el9.x86_64):
>>
>> [2024/07/09 11:22:26.747013,? 3]
>> ../../auth/kerberos/gssapi_pac.c:120(gssapi_obtain_pac_blob)
>>   ? gssapi_obtain_pac_blob: obtaining PAC via GSSAPI
>> gss_get_name_attribute failed: The operation or option is not
>> available or unsupported: No such file or directory
>> [2024/07/09 11:22:26.747103,? 1]
>> ../../auth/gensec/gensec_util.c:70(gensec_generate_session_info_pac)
>>   ? gensec_generate_session_info_pac: Unable to find PAC in ticket
>> from username at EXAMPLE.ORG, failing to allow access
>>
>> This file server is joined to an Active Directory server and I'm
able
>> to use Winbind to authenticate users without any problems.. NFS
>> mounts are working too.
>>
>> I've even removed the keytab, and machine credentials in AD and
>> rejoined... same problem.
>>
>> Here's the command I used:
>>
>> realm join --membership-software=samba --computer-ou=OU=Services
>> --client-software=winbind example.org
>>
>> Any ideas?
> Yes, stop using a freeipa command to join AD, use this instead:
>
> net ads join -U administrator
>
> Also, have you setup the smb.conf, /etc/krb5.conf etc correctly ?
>
> Rowland
>
>
-- 
Luc Lalonde, analyste
-----------------------------
D?partement de g?nie informatique et g?nie logiciel:
?cole polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------