[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)
Jelle de Jong
jelledejong at powercraft.nl
Thu Dec 23 21:15:44 UTC 2021
On 12/23/21 1:02 PM, Jelle de Jong via samba wrote:
> Hello everybody,
>
> I had to downgrade samba on all my centos 8 systems this morning after
> an upgrade made caused kerberos logins to stop working.
>
> yum downgrade samba -y
>
> it also downgraded sssd packages but only downgrading sssd did not work.
>
> How do I debug this further and does anyone encountered the same problem
> and found a solution?
>
> Testing with the bellow command showed me:
>
> LC_ALL=C smbclient -d 10 -k -L samba01.organization.lan
>
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gse_krb5
> gensec_update_send: gse_krb5[0x5590f7bb38e0]: subreq: 0x5590f7baa280
> gensec_update_send: spnego[0x5590f7bad880]: subreq: 0x5590f7bb2410
> gensec_update_done: gse_krb5[0x5590f7bb38e0]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x5590f7baa280/../../source3/librpc/crypto/gse.c:848]:
> state[2] error[0 (0x0)] state[struct gensec_gse_update_state
> (0x5590f7baa430)] timer[(nil)]
> finish[../../source3/librpc/crypto/gse.c:859]
> gensec_update_done: spnego[0x5590f7bad880]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x5590f7bb2410/../../auth/gensec/spnego.c:1631]: state[2]
> error[0 (0x0)] state[struct gensec_spnego_update_state
> (0x5590f7bb25c0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
> SPNEGO login failed: The type of a token object is inappropriate for its
> attempted use.
> session setup failed: NT_STATUS_BAD_TOKEN_TYPE
I went through the thread of Alex subject: [Samba] Authentication issue
after updating samba on CentOS 7 (from yum)
I updated the samba package to samba-4.14.5-7.el8_5.x86_64 and the
problem came back.
I then tried the adding the following options:
local nt token from nss:DOMAIN = no
and
local nt token from nss:* = no
but they did not work.
This is my global config:
[global]
dedicated keytab file = FILE:/etc/samba/samba.keytab
disable spoolss = Yes
kerberos method = dedicated keytab
load printers = No
log file = /var/log/samba/%m.log
printcap name = /dev/null
realm = DOMAIN.LAN
security = USER
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = DOMAIN
local nt token from nss:domain = no
idmap config * : backend = tdb
map acl inherit = Yes
printing = bsd
vfs objects = acl_xattr
@Alex did you contact Andreas Schneider the RH maintainer?
It can also be n issue related in one of the bellow packages as they
also got downgraded with samba
# yum downgrade samba -y
....
Downloading Packages:
(1/46): ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm
(2/46): ipa-client-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
(3/46): ipa-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
(4/46): ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm
(5/46):
ipa-server-trust-ad-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm
(6/46): python3-ipaclient-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
(7/46): python3-ipalib-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
(8/46): ipa-server-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
(9/46): python3-ipaserver-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
(10/46): libsss_autofs-2.5.2-2.el8_5.1.x86_64.rpm
(11/46): libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm
(12/46): libsmbclient-4.14.5-2.el8.x86_64.rpm
(13/46): libsss_idmap-2.5.2-2.el8_5.1.x86_64.rpm
(14/46): libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm
(15/46): libsss_simpleifp-2.5.2-2.el8_5.1.x86_64.rpm
(16/46): libsss_sudo-2.5.2-2.el8_5.1.x86_64.rpm
(17/46): libsss_certmap-2.5.2-2.el8_5.1.x86_64.rpm
(18/46): libwbclient-4.14.5-2.el8.x86_64.rpm
(19/46): python3-libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm
(20/46): python3-libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm
(21/46): python3-sss-2.5.2-2.el8_5.1.x86_64.rpm
(22/46): python3-sssdconfig-2.5.2-2.el8_5.1.noarch.rpm
(23/46): samba-4.14.5-2.el8.x86_64.rpm
(24/46): samba-client-4.14.5-2.el8.x86_64.rpm
(25/46): samba-common-4.14.5-2.el8.noarch.rpm
(26/46): samba-common-libs-4.14.5-2.el8.x86_64.rpm
(27/46): python3-samba-4.14.5-2.el8.x86_64.rpm
(28/46): samba-libs-4.14.5-2.el8.x86_64.rpm
(29/46): samba-common-tools-4.14.5-2.el8.x86_64.rpm
(30/46): samba-winbind-modules-4.14.5-2.el8.x86_64.rpm
(31/46): samba-winbind-4.14.5-2.el8.x86_64.rpm
(32/46): sssd-2.5.2-2.el8_5.1.x86_64.rpm
(33/46): samba-client-libs-4.14.5-2.el8.x86_64.rpm
(34/46): sssd-ad-2.5.2-2.el8_5.1.x86_64.rpm
(35/46): sssd-client-2.5.2-2.el8_5.1.x86_64.rpm
(36/46): sssd-common-pac-2.5.2-2.el8_5.1.x86_64.rpm
(37/46): sssd-dbus-2.5.2-2.el8_5.1.x86_64.rpm
(38/46): sssd-ipa-2.5.2-2.el8_5.1.x86_64.rpm
(39/46): sssd-common-2.5.2-2.el8_5.1.x86_64.rpm
(40/46): sssd-krb5-2.5.2-2.el8_5.1.x86_64.rpm
(41/46): sssd-krb5-common-2.5.2-2.el8_5.1.x86_64.rpm
(42/46): sssd-ldap-2.5.2-2.el8_5.1.x86_64.rpm
(43/46): sssd-proxy-2.5.2-2.el8_5.1.x86_64.rpm
(44/46): sssd-winbind-idmap-2.5.2-2.el8_5.1.x86_64.rpm
(45/46): sssd-tools-2.5.2-2.el8_5.1.x86_64.rpm
(46/46): sssd-nfs-idmap-2.5.2-2.el8_5.1.x86_64.rpm
More information about the samba
mailing list