[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)
Ahti Seier
ahti.seier at gmail.com
Mon Feb 14 16:42:16 UTC 2022
Hello,
Well, that error will occur if security = user and user tries to
authenticate with a kerberos service ticket where a PAC is present. This
happens for example when freeIPA is in a trust relationship with AD.
FreeIPA by default will copy users PAC into service ticket. If this is the
case for you there are a few possibilities: 1. in freeIPA find the
cifs/yourhostname service and disable adding the PAC, 2: join samba to
freeipa: in (RHEL 8 there is "ipa-client-samba" package which makes this
easier):
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm
.
Kontakt Jelle de Jong via samba (<samba at lists.samba.org>) kirjutas
kuupäeval E, 14. veebruar 2022 kell 18:24:
> Hello everybody,
>
> On 12/23/21 22:15, Jelle de Jong via samba wrote:
> > On 12/23/21 1:02 PM, Jelle de Jong via samba wrote:
> >> Hello everybody,
> >>
> >> I had to downgrade samba on all my centos 8 systems this morning after
> >> an upgrade made caused kerberos logins to stop working.
> >>
> >> yum downgrade samba -y
> >>
> >> it also downgraded sssd packages but only downgrading sssd did not work.
> >>
> >> How do I debug this further and does anyone encountered the same
> >> problem and found a solution?
> >>
> >> Testing with the bellow command showed me:
> >>
> >> LC_ALL=C smbclient -d 10 -k -L samba01.organization.lan
> >>
> >> Starting GENSEC mechanism spnego
> >> Starting GENSEC submechanism gse_krb5
> >> gensec_update_send: gse_krb5[0x5590f7bb38e0]: subreq: 0x5590f7baa280
> >> gensec_update_send: spnego[0x5590f7bad880]: subreq: 0x5590f7bb2410
> >> gensec_update_done: gse_krb5[0x5590f7bb38e0]:
> >> NT_STATUS_MORE_PROCESSING_REQUIRED
> >> tevent_req[0x5590f7baa280/../../source3/librpc/crypto/gse.c:848]:
> >> state[2] error[0 (0x0)] state[struct gensec_gse_update_state
> >> (0x5590f7baa430)] timer[(nil)]
> >> finish[../../source3/librpc/crypto/gse.c:859]
> >> gensec_update_done: spnego[0x5590f7bad880]:
> >> NT_STATUS_MORE_PROCESSING_REQUIRED
> >> tevent_req[0x5590f7bb2410/../../auth/gensec/spnego.c:1631]: state[2]
> >> error[0 (0x0)] state[struct gensec_spnego_update_state
> >> (0x5590f7bb25c0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
> >> SPNEGO login failed: The type of a token object is inappropriate for
> >> its attempted use.
> >> session setup failed: NT_STATUS_BAD_TOKEN_TYPE
> >
> > I went through the thread of Alex subject: [Samba] Authentication issue
> > after updating samba on CentOS 7 (from yum)
> >
> > I updated the samba package to samba-4.14.5-7.el8_5.x86_64 and the
> > problem came back.
> >
> > I then tried the adding the following options:
> > local nt token from nss:DOMAIN = no
> > and
> > local nt token from nss:* = no
> > but they did not work.
> >
> > This is my global config:
> >
> > [global]
> > dedicated keytab file = FILE:/etc/samba/samba.keytab
> > disable spoolss = Yes
> > kerberos method = dedicated keytab
> > load printers = No
> > log file = /var/log/samba/%m.log
> > printcap name = /dev/null
> > realm = DOMAIN.LAN
> > security = USER
> > winbind refresh tickets = Yes
> > winbind use default domain = Yes
> > workgroup = DOMAIN
> > local nt token from nss:domain = no
> > idmap config * : backend = tdb
> > map acl inherit = Yes
> > printing = bsd
> > vfs objects = acl_xattr
> >
> > @Alex did you contact Andreas Schneider the RH maintainer?
> >
> > It can also be n issue related in one of the bellow packages as they
> > also got downgraded with samba
> >
> > # yum downgrade samba -y
> > ....
> > Downloading Packages:
> > (1/46): ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm
> > (2/46): ipa-client-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> > (3/46): ipa-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> > (4/46): ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm
> > (5/46):
> ipa-server-trust-ad-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm
> > (6/46): python3-ipaclient-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> > (7/46): python3-ipalib-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> > (8/46): ipa-server-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> > (9/46): python3-ipaserver-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> > (10/46): libsss_autofs-2.5.2-2.el8_5.1.x86_64.rpm
> > (11/46): libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm
> > (12/46): libsmbclient-4.14.5-2.el8.x86_64.rpm
> > (13/46): libsss_idmap-2.5.2-2.el8_5.1.x86_64.rpm
> > (14/46): libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm
> > (15/46): libsss_simpleifp-2.5.2-2.el8_5.1.x86_64.rpm
> > (16/46): libsss_sudo-2.5.2-2.el8_5.1.x86_64.rpm
> > (17/46): libsss_certmap-2.5.2-2.el8_5.1.x86_64.rpm
> > (18/46): libwbclient-4.14.5-2.el8.x86_64.rpm
> > (19/46): python3-libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm
> > (20/46): python3-libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm
> > (21/46): python3-sss-2.5.2-2.el8_5.1.x86_64.rpm
> > (22/46): python3-sssdconfig-2.5.2-2.el8_5.1.noarch.rpm
> > (23/46): samba-4.14.5-2.el8.x86_64.rpm
> > (24/46): samba-client-4.14.5-2.el8.x86_64.rpm
> > (25/46): samba-common-4.14.5-2.el8.noarch.rpm
> > (26/46): samba-common-libs-4.14.5-2.el8.x86_64.rpm
> > (27/46): python3-samba-4.14.5-2.el8.x86_64.rpm
> > (28/46): samba-libs-4.14.5-2.el8.x86_64.rpm
> > (29/46): samba-common-tools-4.14.5-2.el8.x86_64.rpm
> > (30/46): samba-winbind-modules-4.14.5-2.el8.x86_64.rpm
> > (31/46): samba-winbind-4.14.5-2.el8.x86_64.rpm
> > (32/46): sssd-2.5.2-2.el8_5.1.x86_64.rpm
> > (33/46): samba-client-libs-4.14.5-2.el8.x86_64.rpm
> > (34/46): sssd-ad-2.5.2-2.el8_5.1.x86_64.rpm
> > (35/46): sssd-client-2.5.2-2.el8_5.1.x86_64.rpm
> > (36/46): sssd-common-pac-2.5.2-2.el8_5.1.x86_64.rpm
> > (37/46): sssd-dbus-2.5.2-2.el8_5.1.x86_64.rpm
> > (38/46): sssd-ipa-2.5.2-2.el8_5.1.x86_64.rpm
> > (39/46): sssd-common-2.5.2-2.el8_5.1.x86_64.rpm
> > (40/46): sssd-krb5-2.5.2-2.el8_5.1.x86_64.rpm
> > (41/46): sssd-krb5-common-2.5.2-2.el8_5.1.x86_64.rpm
> > (42/46): sssd-ldap-2.5.2-2.el8_5.1.x86_64.rpm
> > (43/46): sssd-proxy-2.5.2-2.el8_5.1.x86_64.rpm
> > (44/46): sssd-winbind-idmap-2.5.2-2.el8_5.1.x86_64.rpm
> > (45/46): sssd-tools-2.5.2-2.el8_5.1.x86_64.rpm
> > (46/46): sssd-nfs-idmap-2.5.2-2.el8_5.1.x86_64.rpm
>
> I wanted to ask if anyone found a solution to kerberos auth breaking
> with samba on centos / centos stream 8.
>
> I had to upgrade many systems to stream 8 and had to downgrade samba
> sevral times to have a working setup.
>
> Downgraded:
> ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64
> ipa-client-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
> ipa-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
>
> ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64
> ipa-server-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
>
> ipa-server-trust-ad-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64
>
> libipa_hbac-2.5.2-2.el8_5.1.x86_64
> libsmbclient-4.14.5-2.el8.x86_64
> libsss_autofs-2.5.2-2.el8_5.1.x86_64
>
> libsss_certmap-2.5.2-2.el8_5.1.x86_64
> libsss_idmap-2.5.2-2.el8_5.1.x86_64
> libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64
>
> libsss_simpleifp-2.5.2-2.el8_5.1.x86_64
> libsss_sudo-2.5.2-2.el8_5.1.x86_64
> libwbclient-4.14.5-2.el8.x86_64
>
> python3-ipaclient-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
> python3-ipalib-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
>
> python3-ipaserver-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
>
> python3-libipa_hbac-2.5.2-2.el8_5.1.x86_64
> python3-libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64
> python3-samba-4.14.5-2.el8.x86_64
>
> python3-sss-2.5.2-2.el8_5.1.x86_64
> python3-sssdconfig-2.5.2-2.el8_5.1.noarch
> realmd-0.16.3-23.el8.x86_64
>
> samba-4.14.5-2.el8.x86_64
> samba-client-4.14.5-2.el8.x86_64
> samba-client-libs-4.14.5-2.el8.x86_64
>
> samba-common-4.14.5-2.el8.noarch
> samba-common-libs-4.14.5-2.el8.x86_64
> samba-common-tools-4.14.5-2.el8.x86_64
>
> samba-libs-4.14.5-2.el8.x86_64
> samba-winbind-4.14.5-2.el8.x86_64
> samba-winbind-modules-4.14.5-2.el8.x86_64
>
> sssd-2.5.2-2.el8_5.1.x86_64
> sssd-ad-2.5.2-2.el8_5.1.x86_64
> sssd-client-2.5.2-2.el8_5.1.x86_64
>
> sssd-common-2.5.2-2.el8_5.1.x86_64
> sssd-common-pac-2.5.2-2.el8_5.1.x86_64
> sssd-dbus-2.5.2-2.el8_5.1.x86_64
>
> sssd-ipa-2.5.2-2.el8_5.1.x86_64
> sssd-krb5-2.5.2-2.el8_5.1.x86_64
> sssd-krb5-common-2.5.2-2.el8_5.1.x86_64
>
> sssd-ldap-2.5.2-2.el8_5.1.x86_64
> sssd-nfs-idmap-2.5.2-2.el8_5.1.x86_64
> sssd-proxy-2.5.2-2.el8_5.1.x86_64
>
> sssd-tools-2.5.2-2.el8_5.1.x86_64
> sssd-winbind-idmap-2.5.2-2.el8_5.1.x86_64
>
>
> Complete!
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list