[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)

Mon Feb 14 19:45:04 UTC 2022

On 2/14/22 18:38, Ahti Seier via samba wrote:
> This will probably stir up the hornets nest but it is much easier to manage
> linux hosts using freeIPA than AD and samba.
> 
> FreeIPA by default allows remote management of linux hosts service access
> rules, sudo rules, certificates, ssh keys etc. through a nice web UI, using
> an API or a command line interface. This all without changing any schema on
> AD and messing with GPOs. freeIPA is basically AD for linux (ldap +
> kerberos + CA + DNS) with linux specific ldap schemas. In this case freeIPA
> is not an intermediary between Samba and AD. freeIPA is a trusted member of
> the AD forest. It can control access for AD users on linux hosts joined to
> it (and manage their sudo rules and ssh keys etc.). Samba in this case is
> just a file sharing service...
> 
> Setting samba into standalone mode (security = user) and just using a
> keytab (from freeIPA kerberos) used to work, until November updates. This
> was nice and simple... and no winbind was needed. NSS through sss on the
> linux hosts was perfectly capable of looking up both freeIPA and AD users
> and groups. With November updates this was changed.
> 
> All AD users have a special data blob attached to their kerberos ticket,
> called a PAC (Privileged Access Certificate). It contains the SID-s of the
> user and the users groups. When samba is a domain member then this
> information is used to look up the user and groups from the AD domain
> controller (winbind does this). freeIPA by default will add this PAC to the
> service ticket the user requests. So authentication (since November) will
> fail by default.
> 
> As I said this can be worked around. By either "joining" samba to freeIPA
> domain (and running winbind) or disabling the default behaviour of copying
> the PAC to the service ticket.
> 
> Since November updates, if security is set to "user" (standalone mode) and
> service principal has a PAC attached authentication will fail.
> 
> Kontakt Rowland Penny via samba (<samba at lists.samba.org>) kirjutas
> kuupäeval E, 14. veebruar 2022 kell 18:52:
> 
>> On Mon, 2022-02-14 at 18:42 +0200, Ahti Seier via samba wrote:
>>> Hello,
>>>
>>>    Well, that error will occur if security = user and user tries to
>>> authenticate with a kerberos service ticket where a PAC is present.
>>> This
>>> happens for example when freeIPA is in a trust relationship with AD.
>>> FreeIPA by default will copy users PAC into service ticket. If this
>>> is the
>>> case for you there are a few possibilities: 1. in freeIPA find the
>>> cifs/yourhostname service and disable adding the PAC, 2: join samba
>>> to
>>> freeipa: in (RHEL 8 there is "ipa-client-samba" package which makes
>>> this
>>> easier):
>>
>> I have never seen the point of freeipa as an intermediary between Samba
>> and AD, you might just as well use Samba with AD, without freeipa at
>> all. Am I missing something here ? What does freeipa give you in such a
>> setup ?

Thank you Ahti and Rowland for your in depth explanation and confirming 
that something changed in November that breaks my setup!

I use FreeIPA as primary authenticator for many Linux systems and samba 
as filesystem only with kerberos keys for the users to connect to samba 
shares. This used to work fine. There is no Windows or Samba AD server 
present.

I am still not sure what steps are needed to get my setup working with 
newer versions of samba, but my samba has a trust setup with FreeIPA, 
but seems this is not enough any more.

ipa-server-trust-ad (package)
ipa-getkeytab -s freeipa01.example.lan -p cifs/samba01.example.lan -k 
/etc/samba/samba.keytab

I can take a look at: 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm 
and see if I can find a solution. I will probably have to create a test 
setup and start over.

Jelle