Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5798: Stale PAC (Privilege Attribute Certificate) and Samba when adding/removing a User from a Group

Centrify DirectControl ,   Centrify DirectControl Plugins ,  

12 April,16 at 11:46 AM

Applies to:
Centrify DirectControl and Centrify Samba on All OS platforms

 
Problem:
Unable to access samba shares on the Linux machine from Windows machine after upgrading from Stock Samba to Centrify Samba. 
 
Customer may see the following error from the log (after enabling Centrify debug log):
 
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! auth/user_krb5.c:162(get_user_from_kerberos_info) Username <DCC\$ExtAppSvcs> is invalid on this system
 
Generally it means that Kerberos authentication was used and the ticket was encrypted with the wrong version of the computer account password.  The client has a stale service ticket cached.
 

Cause:
When Admin is adding and removing a user from a group, the Admin authenticates via Kerberos, the ticket that comes back has the user’ Privilege Attribute Certificate (PAC) which contains the users group membership at that point in time.  Therefore, if the Admin ADuser is adding and removing a user from a group, it will not show up until the next Kerberos Authentication with a refreshed PAC.  Samba is using this PAC to decide if the user is in the valid users group.  

When Samba is trying to look up the valid users group <groupname>, the following error display:
 
rpc_client/cli_pipe.c:491: RPC fault code WERR_RPC_S_SEC_PKG_ERROR received from host <FQDN>
 

Workaround:
See Resolution.


Resolution:
It is essential to completely log out of the workstation and log back in when adding or removing from a group to get an updated Kerberos token with your new group memberships in it.  Doing this will validate users security method.  

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles