failed to map kerberos pac

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 3
Registered: 2 weeks ago
#1 of 4 223

failed to map kerberos pac

Tech specs:  Running Centos7.6, kernel 3.10.0-957.1.3.el7.x86_64

centrifyDC-5.5.2-578

centrifyDC-openldap-5.5.2-578

centrifyDC-openssl-5.5.2-578

centrifyDC-adbindproxy-5.5.0-201

centrifyDC-curl-5.5.2-578

Stock samba:

samba-4.8.3-4

samba-libs-4.8.3-4

samba-winbind-4.8.3-4

samba-client-libs-4.8.3-4

samba-winbind-modules-4.8.3-4

samba-common-libs-4.8.3-4

samba-common-4.8.3-4

samba-client-4.8.3-4

samba-common-tools-4.8.3-4

 

This Linux server is joined to an internal domain and I have a few shares hosted on it that Windows10 users (who are logged in having authenticated to the domain already) use to share data and files.

 

The problem is that seemingly randomly, the users will no longer be able to access the share because it appears the Linux server can no longer authenticate them.  I'm seeing these errors in the log.smbd file on the Linux server when this is happening:

../source3/auth/token_util.c:1106(create_token_from_username)

   lookup_name_smbconf for <domain>\<username> failed

../source3/auth/auth_generic.c:174(auth3_generate_session_info_pac)

   Failed to map kerberos pac to server info (NT_STATUS_NO_SUCH_USER)

 

On their end, the Win10 users attempting to access the shares get pop-up windows from Windows Security asking them to enter their network credentials (which is shouldn't do, but even they do it won't accept them).

 

I assume what's happening here is that for whatever reason, my Linux server is getting hung up or losing connection to the various Domain Controllers in the domain and stops being able to authenticate folks, but I have no idea why?  A quick restart of the centrifydc-samba service resolves the issue for a while, but even then it seems that the log.smbd just constantly floods with "INTERNAL ERROR: Signal 6 in pid..." type panic messages.  This all seems worse after I did an upgrade the other week of Samba/Centrify.  I'm wondering if I should have left and rejoined the domain?

Any help would be greatly appreciated!

 

Centrify Guru I
Posts: 2,433
Registered: ‎07-26-2012
#2 of 4 218

Re: failed to map kerberos pac

@sudz28,

 

Welcome to the forums.

May we ask why do you also do a samba join?  By joining with CentrifyDC, there's no need to maintain this.  What's your original requirement to use this integration?

 

Have you changed anything? (or upgraded any component) if so, did you run the adbindproxy.pl configuration script again.

 

Please review:  https://community.centrify.com/t5/Centrify-Express/Centrify-Express-and-Samba-4-integration/td-p/241...

 

And report back.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 3
Registered: 2 weeks ago
#3 of 4 216

Re: failed to map kerberos pac

Thank you for your reply!  I probably should have said, I was 'handed' this setup from the guy who set it all up and who has since departed.   I've functioned as both a Linux SA and a Windows SA in various past jobs, but this is my first exposure to a setup designed to allow access to files from both OS's so it's all pretty new and confusing to me. 

 

My understanding is that Centrify DC is installed in order to allow Windows users who log in on the domain to access the share which is hosted on a Linux box.  The Samba piece is to map/deconflict permission and ownership stuff between the two OS's - is that correct?

 

I did indeed recently upgrade both Centrify and Samba, as well as a kernel update, but this has been problematic since before then (the upgrades were in the hopes things would get better).  Yes, we rand adbindproxy.pl afterwards.  It show that we were joined to the correct domain, and the correct Zone.  One thing I don't understand is that when it asked us to input Samba's Path, we used /usr even though Samba isn't installed there.

Highlighted
Participant II
Posts: 3
Registered: 2 weeks ago
#4 of 4 206

Re: failed to map kerberos pac

Quick additional info; as I was troubleshooting, I noticed a bunch of those "NT_STATUS_NO_SUCH_USER" messages. I myself was able to access the share, others were not. I checked the status of centrifydc-samba and saw "unknown interface", "api_rpcTNP: lsarpc: LSA_LOOKUP failed", "Error - Connectionless packet type 1 received". I have no idea what any of those things mean. They cleared up after a restart of the service.