[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)
Rowland Penny
rpenny at samba.org
Mon Feb 14 17:52:53 UTC 2022
On Mon, 2022-02-14 at 19:38 +0200, Ahti Seier wrote:
> This will probably stir up the hornets nest but it is much easier to
> manage linux hosts using freeIPA than AD and samba.
>
> FreeIPA by default allows remote management of linux hosts service
> access rules,
That can probably be done with Samba
> sudo rules,
That definitely can be done with Samba, I use it :-)
> certificates,
Not sure about certificates, but David Mulder is probably working on it
> ssh keys etc.
Why use ssh keys ? what is wrong with kerberos ?
> through a nice web UI, using an API or a command line interface.
> This all without changing any schema on AD
You have to extend the schema for sudo (if you store the sudo rules in
AD) , whether you use sssd or Samba.
> and messing with GPOs.
What is wrong with GPO's ?
> freeIPA is basically AD for linux
No it isn't, it is a glorified ldap and is nothing like AD.
> (ldap + kerberos + CA + DNS) with linux specific ldap schemas. In
> this case freeIPA is not an intermediary between Samba and AD.
> freeIPA is a trusted member of the AD forest.
If you have AD <-> freeipa <-> Samba, then freeipa is an intermediate
between AD and Samba.
> It can control access for AD users on linux hosts joined to it (and
> manage their sudo rules and ssh keys etc.).
Which Samba can already do or will shortly be able to do.
> Samba in this case is just a file sharing service...
Which freeipa cannot do.
>
> Setting samba into standalone mode (security = user) and just using a
> keytab (from freeIPA kerberos) used to work, until November updates.
> This was nice and simple... and no winbind was needed. NSS through
> sss on the linux hosts was perfectly capable of looking up both
> freeIPA and AD users and groups. With November updates this was
> changed.
Yes but there is no point to a standalone server in AD, it sort of
defeats the object.
>
> All AD users have a special data blob attached to their kerberos
> ticket, called a PAC (Privileged Access Certificate). It contains the
> SID-s of the user and the users groups. When samba is a domain member
> then this information is used to look up the user and groups from the
> AD domain controller (winbind does this). freeIPA by default will add
> this PAC to the service ticket the user requests. So authentication
> (since November) will fail by default.
>
> As I said this can be worked around. By either "joining" samba to
> freeIPA domain (and running winbind) or disabling the default
> behaviour of copying the PAC to the service ticket.
>
> Since November updates, if security is set to "user" (standalone
> mode) and service principal has a PAC attached authentication will
> fail.
I could go on, but I wont, it will get us nowhere.
Rowland
More information about the samba
mailing list