[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)

Rowland Penny rpenny at samba.org
Thu Dec 23 21:23:27 UTC 2021 

On Thu, 2021-12-23 at 22:15 +0100, Jelle de Jong via samba wrote:
> On 12/23/21 1:02 PM, Jelle de Jong via samba wrote:
> > Hello everybody,
> > 
> > I had to downgrade samba on all my centos 8 systems this morning
> > after 
> > an upgrade made caused kerberos logins to stop working.
> > 
> > yum downgrade samba -y
> > 
> > it also downgraded sssd packages but only downgrading sssd did not
> > work.
> > 
> > How do I debug this further and does anyone encountered the same
> > problem 
> > and found a solution?
> > 
> > Testing with the bellow command showed me:
> > 
> > LC_ALL=C smbclient -d 10 -k -L samba01.organization.lan
> > 
> > Starting GENSEC mechanism spnego
> > Starting GENSEC submechanism gse_krb5
> > gensec_update_send: gse_krb5[0x5590f7bb38e0]: subreq:
> > 0x5590f7baa280
> > gensec_update_send: spnego[0x5590f7bad880]: subreq: 0x5590f7bb2410
> > gensec_update_done: gse_krb5[0x5590f7bb38e0]: 
> > NT_STATUS_MORE_PROCESSING_REQUIRED 
> > tevent_req[0x5590f7baa280/../../source3/librpc/crypto/gse.c:848]: 
> > state[2] error[0 (0x0)]  state[struct gensec_gse_update_state 
> > (0x5590f7baa430)] timer[(nil)] 
> > finish[../../source3/librpc/crypto/gse.c:859]
> > gensec_update_done: spnego[0x5590f7bad880]: 
> > NT_STATUS_MORE_PROCESSING_REQUIRED 
> > tevent_req[0x5590f7bb2410/../../auth/gensec/spnego.c:1631]:
> > state[2] 
> > error[0 (0x0)]  state[struct gensec_spnego_update_state 
> > (0x5590f7bb25c0)] timer[(nil)]
> > finish[../../auth/gensec/spnego.c:2116]
> > SPNEGO login failed: The type of a token object is inappropriate
> > for its 
> > attempted use.
> > session setup failed: NT_STATUS_BAD_TOKEN_TYPE
> 
> I went through the thread of Alex subject: [Samba] Authentication
> issue 
> after updating samba on CentOS 7 (from yum)
> 
> I updated the samba package to samba-4.14.5-7.el8_5.x86_64 and the 
> problem came back.
> 
> I then tried the adding the following options:
> local nt token from nss:DOMAIN = no
> and
> local nt token from nss:* = no
> but they did not work.
> 
> This is my global config:
> 
> [global]
> 	dedicated keytab file = FILE:/etc/samba/samba.keytab
> 	disable spoolss = Yes
> 	kerberos method = dedicated keytab
> 	load printers = No
> 	log file = /var/log/samba/%m.log
> 	printcap name = /dev/null
> 	realm = DOMAIN.LAN
> 	security = USER

I know that you are using sssd (and that is all I am going say on
that), but 'security' should still be set to 'ADS' and winbind must be
running.

Rowland

More information about the samba mailing list