Applies to: Centrify DirectControl and Centrify Samba on All OS platforms
Problem: Unable to access samba shares on the Linux machine from Windows machine after upgrading from Stock Samba to Centrify Samba.
Customer may see the following error from the log (after enabling Centrify debug log):
“Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! auth/user_krb5.c:162(get_user_from_kerberos_info) Username <DCC\$ExtAppSvcs> is invalid on this system”
Generally it means that Kerberos authentication was used and the ticket was encrypted with the wrong version of the computer account password. The client has a stale service ticket cached.
Cause: When Admin is adding and removing a user from a group, the Admin authenticates via Kerberos, the ticket that comes back has the user’ Privilege Attribute Certificate (PAC) which contains the users group membership at that point in time. Therefore, if the Admin ADuser is adding and removing a user from a group, it will not show up until the next Kerberos Authentication with a refreshed PAC. Samba is using this PAC to decide if the user is in the valid users group.
When Samba is trying to look up the valid users group <groupname>, the following error display:
rpc_client/cli_pipe.c:491: RPC fault code WERR_RPC_S_SEC_PKG_ERROR received from host <FQDN>
Workaround: See Resolution.
Resolution: It is essential to completely log out of the workstation and log back in when adding or removing from a group to get an updated Kerberos token with your new group memberships in it. Doing this will validate users security method.