[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)

Thu Dec 23 21:15:44 UTC 2021

On 12/23/21 1:02 PM, Jelle de Jong via samba wrote:
> Hello everybody,
> 
> I had to downgrade samba on all my centos 8 systems this morning after 
> an upgrade made caused kerberos logins to stop working.
> 
> yum downgrade samba -y
> 
> it also downgraded sssd packages but only downgrading sssd did not work.
> 
> How do I debug this further and does anyone encountered the same problem 
> and found a solution?
> 
> Testing with the bellow command showed me:
> 
> LC_ALL=C smbclient -d 10 -k -L samba01.organization.lan
> 
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gse_krb5
> gensec_update_send: gse_krb5[0x5590f7bb38e0]: subreq: 0x5590f7baa280
> gensec_update_send: spnego[0x5590f7bad880]: subreq: 0x5590f7bb2410
> gensec_update_done: gse_krb5[0x5590f7bb38e0]: 
> NT_STATUS_MORE_PROCESSING_REQUIRED 
> tevent_req[0x5590f7baa280/../../source3/librpc/crypto/gse.c:848]: 
> state[2] error[0 (0x0)]  state[struct gensec_gse_update_state 
> (0x5590f7baa430)] timer[(nil)] 
> finish[../../source3/librpc/crypto/gse.c:859]
> gensec_update_done: spnego[0x5590f7bad880]: 
> NT_STATUS_MORE_PROCESSING_REQUIRED 
> tevent_req[0x5590f7bb2410/../../auth/gensec/spnego.c:1631]: state[2] 
> error[0 (0x0)]  state[struct gensec_spnego_update_state 
> (0x5590f7bb25c0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
> SPNEGO login failed: The type of a token object is inappropriate for its 
> attempted use.
> session setup failed: NT_STATUS_BAD_TOKEN_TYPE

I went through the thread of Alex subject: [Samba] Authentication issue 
after updating samba on CentOS 7 (from yum)

I updated the samba package to samba-4.14.5-7.el8_5.x86_64 and the 
problem came back.

I then tried the adding the following options:
local nt token from nss:DOMAIN = no
and
local nt token from nss:* = no
but they did not work.

This is my global config:

[global]
	dedicated keytab file = FILE:/etc/samba/samba.keytab
	disable spoolss = Yes
	kerberos method = dedicated keytab
	load printers = No
	log file = /var/log/samba/%m.log
	printcap name = /dev/null
	realm = DOMAIN.LAN
	security = USER
	winbind refresh tickets = Yes
	winbind use default domain = Yes
	workgroup = DOMAIN
	local nt token from nss:domain = no
	idmap config * : backend = tdb
	map acl inherit = Yes
	printing = bsd
	vfs objects = acl_xattr

@Alex did you contact Andreas Schneider the RH maintainer?

It can also be n issue related in one of the bellow packages as they 
also got downgraded with samba

# yum downgrade samba -y
....
Downloading Packages:
(1/46): ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm 

(2/46): ipa-client-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm 

(3/46): ipa-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm 

(4/46): ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm 

(5/46): 
ipa-server-trust-ad-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm
(6/46): python3-ipaclient-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm 

(7/46): python3-ipalib-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm 

(8/46): ipa-server-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm 

(9/46): python3-ipaserver-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm 

(10/46): libsss_autofs-2.5.2-2.el8_5.1.x86_64.rpm 

(11/46): libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm 

(12/46): libsmbclient-4.14.5-2.el8.x86_64.rpm 

(13/46): libsss_idmap-2.5.2-2.el8_5.1.x86_64.rpm 

(14/46): libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm 

(15/46): libsss_simpleifp-2.5.2-2.el8_5.1.x86_64.rpm 

(16/46): libsss_sudo-2.5.2-2.el8_5.1.x86_64.rpm 

(17/46): libsss_certmap-2.5.2-2.el8_5.1.x86_64.rpm 

(18/46): libwbclient-4.14.5-2.el8.x86_64.rpm 

(19/46): python3-libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm 

(20/46): python3-libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm 

(21/46): python3-sss-2.5.2-2.el8_5.1.x86_64.rpm 

(22/46): python3-sssdconfig-2.5.2-2.el8_5.1.noarch.rpm 

(23/46): samba-4.14.5-2.el8.x86_64.rpm 

(24/46): samba-client-4.14.5-2.el8.x86_64.rpm 

(25/46): samba-common-4.14.5-2.el8.noarch.rpm 

(26/46): samba-common-libs-4.14.5-2.el8.x86_64.rpm 

(27/46): python3-samba-4.14.5-2.el8.x86_64.rpm 

(28/46): samba-libs-4.14.5-2.el8.x86_64.rpm 

(29/46): samba-common-tools-4.14.5-2.el8.x86_64.rpm 

(30/46): samba-winbind-modules-4.14.5-2.el8.x86_64.rpm 

(31/46): samba-winbind-4.14.5-2.el8.x86_64.rpm 

(32/46): sssd-2.5.2-2.el8_5.1.x86_64.rpm 

(33/46): samba-client-libs-4.14.5-2.el8.x86_64.rpm 

(34/46): sssd-ad-2.5.2-2.el8_5.1.x86_64.rpm 

(35/46): sssd-client-2.5.2-2.el8_5.1.x86_64.rpm 

(36/46): sssd-common-pac-2.5.2-2.el8_5.1.x86_64.rpm 

(37/46): sssd-dbus-2.5.2-2.el8_5.1.x86_64.rpm 

(38/46): sssd-ipa-2.5.2-2.el8_5.1.x86_64.rpm 

(39/46): sssd-common-2.5.2-2.el8_5.1.x86_64.rpm 

(40/46): sssd-krb5-2.5.2-2.el8_5.1.x86_64.rpm 

(41/46): sssd-krb5-common-2.5.2-2.el8_5.1.x86_64.rpm 

(42/46): sssd-ldap-2.5.2-2.el8_5.1.x86_64.rpm 

(43/46): sssd-proxy-2.5.2-2.el8_5.1.x86_64.rpm 

(44/46): sssd-winbind-idmap-2.5.2-2.el8_5.1.x86_64.rpm 

(45/46): sssd-tools-2.5.2-2.el8_5.1.x86_64.rpm 

(46/46): sssd-nfs-idmap-2.5.2-2.el8_5.1.x86_64.rpm 