[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)
Rowland Penny
rpenny at samba.org
Thu Dec 23 21:23:27 UTC 2021
On Thu, 2021-12-23 at 22:15 +0100, Jelle de Jong via samba wrote:
> On 12/23/21 1:02 PM, Jelle de Jong via samba wrote:
> > Hello everybody,
> >
> > I had to downgrade samba on all my centos 8 systems this morning
> > after
> > an upgrade made caused kerberos logins to stop working.
> >
> > yum downgrade samba -y
> >
> > it also downgraded sssd packages but only downgrading sssd did not
> > work.
> >
> > How do I debug this further and does anyone encountered the same
> > problem
> > and found a solution?
> >
> > Testing with the bellow command showed me:
> >
> > LC_ALL=C smbclient -d 10 -k -L samba01.organization.lan
> >
> > Starting GENSEC mechanism spnego
> > Starting GENSEC submechanism gse_krb5
> > gensec_update_send: gse_krb5[0x5590f7bb38e0]: subreq:
> > 0x5590f7baa280
> > gensec_update_send: spnego[0x5590f7bad880]: subreq: 0x5590f7bb2410
> > gensec_update_done: gse_krb5[0x5590f7bb38e0]:
> > NT_STATUS_MORE_PROCESSING_REQUIRED
> > tevent_req[0x5590f7baa280/../../source3/librpc/crypto/gse.c:848]:
> > state[2] error[0 (0x0)] state[struct gensec_gse_update_state
> > (0x5590f7baa430)] timer[(nil)]
> > finish[../../source3/librpc/crypto/gse.c:859]
> > gensec_update_done: spnego[0x5590f7bad880]:
> > NT_STATUS_MORE_PROCESSING_REQUIRED
> > tevent_req[0x5590f7bb2410/../../auth/gensec/spnego.c:1631]:
> > state[2]
> > error[0 (0x0)] state[struct gensec_spnego_update_state
> > (0x5590f7bb25c0)] timer[(nil)]
> > finish[../../auth/gensec/spnego.c:2116]
> > SPNEGO login failed: The type of a token object is inappropriate
> > for its
> > attempted use.
> > session setup failed: NT_STATUS_BAD_TOKEN_TYPE
>
> I went through the thread of Alex subject: [Samba] Authentication
> issue
> after updating samba on CentOS 7 (from yum)
>
> I updated the samba package to samba-4.14.5-7.el8_5.x86_64 and the
> problem came back.
>
> I then tried the adding the following options:
> local nt token from nss:DOMAIN = no
> and
> local nt token from nss:* = no
> but they did not work.
>
> This is my global config:
>
> [global]
> dedicated keytab file = FILE:/etc/samba/samba.keytab
> disable spoolss = Yes
> kerberos method = dedicated keytab
> load printers = No
> log file = /var/log/samba/%m.log
> printcap name = /dev/null
> realm = DOMAIN.LAN
> security = USER
I know that you are using sssd (and that is all I am going say on
that), but 'security' should still be set to 'ADS' and winbind must be
running.
Rowland
More information about the samba
mailing list