[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)

Rowland Penny rpenny at samba.org
Mon Feb 14 16:51:58 UTC 2022

On Mon, 2022-02-14 at 18:42 +0200, Ahti Seier via samba wrote:
> Hello,
>   Well, that error will occur if security = user and user tries to
> authenticate with a kerberos service ticket where a PAC is present.
> This
> happens for example when freeIPA is in a trust relationship with AD.
> FreeIPA by default will copy users PAC into service ticket. If this
> is the
> case for you there are a few possibilities: 1. in freeIPA find the
> cifs/yourhostname service and disable adding the PAC, 2: join samba
> to
> freeipa: in (RHEL 8 there is "ipa-client-samba" package which makes
> this
> easier):

I have never seen the point of freeipa as an intermediary between Samba
and AD, you might just as well use Samba with AD, without freeipa at
all. Am I missing something here ? What does freeipa give you in such a
setup ?


More information about the samba mailing list