[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)

Ahti Seier ahti.seier at gmail.com
Tue Feb 15 07:48:06 UTC 2022

I did a quick grep over samba source and I could not find any other place
where NT_STATUS_BAD_TOKEN_TYPE is set other than the PAC issue. So it may
also be worth checking on IPA server "IPA
server"->"Configuration"->"Service options". If MS-PAC is set you could
experiment with unsetting it here or overriding in
"Identity"->"Services"->cifs/your.samba.host at YOUR.REALM under "PAC type".

Kontakt Jelle de Jong via samba (<samba at lists.samba.org>) kirjutas
kuupäeval E, 14. veebruar 2022 kell 21:46:

> On 2/14/22 18:38, Ahti Seier via samba wrote:
> > This will probably stir up the hornets nest but it is much easier to
> manage
> > linux hosts using freeIPA than AD and samba.
> >
> > FreeIPA by default allows remote management of linux hosts service access
> > rules, sudo rules, certificates, ssh keys etc. through a nice web UI,
> using
> > an API or a command line interface. This all without changing any schema
> on
> > AD and messing with GPOs. freeIPA is basically AD for linux (ldap +
> > kerberos + CA + DNS) with linux specific ldap schemas. In this case
> freeIPA
> > is not an intermediary between Samba and AD. freeIPA is a trusted member
> of
> > the AD forest. It can control access for AD users on linux hosts joined
> to
> > it (and manage their sudo rules and ssh keys etc.). Samba in this case is
> > just a file sharing service...
> >
> > Setting samba into standalone mode (security = user) and just using a
> > keytab (from freeIPA kerberos) used to work, until November updates. This
> > was nice and simple... and no winbind was needed. NSS through sss on the
> > linux hosts was perfectly capable of looking up both freeIPA and AD users
> > and groups. With November updates this was changed.
> >
> > All AD users have a special data blob attached to their kerberos ticket,
> > called a PAC (Privileged Access Certificate). It contains the SID-s of
> the
> > user and the users groups. When samba is a domain member then this
> > information is used to look up the user and groups from the AD domain
> > controller (winbind does this). freeIPA by default will add this PAC to
> the
> > service ticket the user requests. So authentication (since November) will
> > fail by default.
> >
> > As I said this can be worked around. By either "joining" samba to freeIPA
> > domain (and running winbind) or disabling the default behaviour of
> copying
> > the PAC to the service ticket.
> >
> > Since November updates, if security is set to "user" (standalone mode)
> and
> > service principal has a PAC attached authentication will fail.
> >
> > Kontakt Rowland Penny via samba (<samba at lists.samba.org>) kirjutas
> > kuupäeval E, 14. veebruar 2022 kell 18:52:
> >
> >> On Mon, 2022-02-14 at 18:42 +0200, Ahti Seier via samba wrote:
> >>> Hello,
> >>>
> >>>    Well, that error will occur if security = user and user tries to
> >>> authenticate with a kerberos service ticket where a PAC is present.
> >>> This
> >>> happens for example when freeIPA is in a trust relationship with AD.
> >>> FreeIPA by default will copy users PAC into service ticket. If this
> >>> is the
> >>> case for you there are a few possibilities: 1. in freeIPA find the
> >>> cifs/yourhostname service and disable adding the PAC, 2: join samba
> >>> to
> >>> freeipa: in (RHEL 8 there is "ipa-client-samba" package which makes
> >>> this
> >>> easier):
> >>
> >> I have never seen the point of freeipa as an intermediary between Samba
> >> and AD, you might just as well use Samba with AD, without freeipa at
> >> all. Am I missing something here ? What does freeipa give you in such a
> >> setup ?
> Thank you Ahti and Rowland for your in depth explanation and confirming
> that something changed in November that breaks my setup!
> I use FreeIPA as primary authenticator for many Linux systems and samba
> as filesystem only with kerberos keys for the users to connect to samba
> shares. This used to work fine. There is no Windows or Samba AD server
> present.
> I am still not sure what steps are needed to get my setup working with
> newer versions of samba, but my samba has a trust setup with FreeIPA,
> but seems this is not enough any more.
> ipa-server-trust-ad (package)
> ipa-getkeytab -s freeipa01.example.lan -p cifs/samba01.example.lan -k
> /etc/samba/samba.keytab
> I can take a look at:
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm
> and see if I can find a solution. I will probably have to create a test
> setup and start over.
> Jelle
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list