On pe, 20 maalis 2020, Michael Deffenbaugh via FreeIPA-users wrote:
>Hey all,
>   I'm having issues getting a setting up a Samba file server using IPA as
>an authentication source on my network.  I followed the guide based off of
>the mailing list chatter
><https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA>.
>No success.

The procedure described there is not really supported. The supported
configuration is available starting with RHEL 8.1/Fedora 31 and is
described in RHEL 8 documentation already.

However, your problem is different (below)

>
>When I try to authenticate using kerberos (or password), I get an access
>denied error on the client when running  "smbclient -k -L
>fs01.svr.ipa.domain":
>session setup failed: NT_STATUS_ACCESS_DENIED
>
>And it tries to revert to local user lookup on the server:
>[2020/03/20 02:47:32.669898,  3]
>../auth/kerberos/gssapi_pac.c:123(gssapi_obtain_pac_blob)
>  gssapi_obtain_pac_blob: obtaining PAC via GSSAPI gss_get_name_attribute
>failed: The operation or option is not available or unsupported: No such
>file or directory
>[2020/03/20 02:47:32.670131,  3]
>../auth/gensec/gensec_util.c:55(gensec_generate_session_info_pac)
>  gensec_generate_session_info_pac: Unable to find PAC for mddeff@<IPA.DOMAIN>,
>resorting to local user lookup

Each user trying to access Samba should have SID associated with it. For
IPA users you can generate SIDs for those users that do lack it by
re-running 'ipa-adtrust-install --add-sids' on IPA master that serves as
Trust Controller already. You have to have at least one Trust Controller
among your IPA masters in order to have Samba integration.

After you did so, make sure 'kinit' again to obtain a new TGT that would
include PAC.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland