[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)

Rowland Penny rpenny at samba.org
Mon Feb 14 17:52:53 UTC 2022

On Mon, 2022-02-14 at 19:38 +0200, Ahti Seier wrote:
> This will probably stir up the hornets nest but it is much easier to
> manage linux hosts using freeIPA than AD and samba.
> FreeIPA by default allows remote management of linux hosts service
> access rules,

That can probably be done with Samba

>  sudo rules,

That definitely can be done with Samba, I use it :-)

>  certificates,

Not sure about certificates, but David Mulder is probably working on it

>  ssh keys etc.

Why use ssh keys ? what is wrong with kerberos ?

>  through a nice web UI, using an API or a command line interface.
> This all without changing any schema on AD

You have to extend the schema for sudo (if you store the sudo rules in
AD) , whether you use sssd or Samba. 
>  and messing with GPOs.

What is wrong with GPO's ?

>  freeIPA is basically AD for linux

No it isn't, it is a glorified ldap and is nothing like AD.

>  (ldap + kerberos + CA + DNS) with linux specific ldap schemas. In
> this case freeIPA is not an intermediary between Samba and AD.
> freeIPA is a trusted member of the AD forest.

If you have AD <-> freeipa <-> Samba, then freeipa is an intermediate
between AD and Samba.

>  It can control access for AD users on linux hosts joined to it (and
> manage their sudo rules and ssh keys etc.).

Which Samba can already do or will shortly be able to do.

>  Samba in this case is just a file sharing service...

Which freeipa cannot do.

> Setting samba into standalone mode (security = user) and just using a
> keytab (from freeIPA kerberos) used to work, until November updates.
> This was nice and simple... and no winbind was needed. NSS through
> sss on the linux hosts was perfectly capable of looking up both
> freeIPA and AD users and groups. With November updates this was
> changed.

Yes but there is no point to a standalone server in AD, it sort of
defeats the object.

> All AD users have a special data blob attached to their kerberos
> ticket, called a PAC (Privileged Access Certificate). It contains the
> SID-s of the user and the users groups. When samba is a domain member
> then this information is used to look up the user and groups from the
> AD domain controller (winbind does this). freeIPA by default will add
> this PAC to the service ticket the user requests. So authentication
> (since November) will fail by default. 
> As I said this can be worked around. By either "joining" samba to
> freeIPA domain (and running winbind) or disabling the default
> behaviour of copying the PAC to the service ticket.
> Since November updates, if security is set to "user" (standalone
> mode) and service principal has a PAC attached authentication will
> fail. 

I could go on, but I wont, it will get us nowhere.

More information about the samba mailing list