Jelle de Jong
2021-Dec-23 21:15 UTC
[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)
On 12/23/21 1:02 PM, Jelle de Jong via samba wrote:> Hello everybody, > > I had to downgrade samba on all my centos 8 systems this morning after > an upgrade made caused kerberos logins to stop working. > > yum downgrade samba -y > > it also downgraded sssd packages but only downgrading sssd did not work. > > How do I debug this further and does anyone encountered the same problem > and found a solution? > > Testing with the bellow command showed me: > > LC_ALL=C smbclient -d 10 -k -L samba01.organization.lan > > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gse_krb5 > gensec_update_send: gse_krb5[0x5590f7bb38e0]: subreq: 0x5590f7baa280 > gensec_update_send: spnego[0x5590f7bad880]: subreq: 0x5590f7bb2410 > gensec_update_done: gse_krb5[0x5590f7bb38e0]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x5590f7baa280/../../source3/librpc/crypto/gse.c:848]: > state[2] error[0 (0x0)]? state[struct gensec_gse_update_state > (0x5590f7baa430)] timer[(nil)] > finish[../../source3/librpc/crypto/gse.c:859] > gensec_update_done: spnego[0x5590f7bad880]: > NT_STATUS_MORE_PROCESSING_REQUIRED > tevent_req[0x5590f7bb2410/../../auth/gensec/spnego.c:1631]: state[2] > error[0 (0x0)]? state[struct gensec_spnego_update_state > (0x5590f7bb25c0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116] > SPNEGO login failed: The type of a token object is inappropriate for its > attempted use. > session setup failed: NT_STATUS_BAD_TOKEN_TYPEI went through the thread of Alex subject: [Samba] Authentication issue after updating samba on CentOS 7 (from yum) I updated the samba package to samba-4.14.5-7.el8_5.x86_64 and the problem came back. I then tried the adding the following options: local nt token from nss:DOMAIN = no and local nt token from nss:* = no but they did not work. This is my global config: [global] dedicated keytab file = FILE:/etc/samba/samba.keytab disable spoolss = Yes kerberos method = dedicated keytab load printers = No log file = /var/log/samba/%m.log printcap name = /dev/null realm = DOMAIN.LAN security = USER winbind refresh tickets = Yes winbind use default domain = Yes workgroup = DOMAIN local nt token from nss:domain = no idmap config * : backend = tdb map acl inherit = Yes printing = bsd vfs objects = acl_xattr @Alex did you contact Andreas Schneider the RH maintainer? It can also be n issue related in one of the bellow packages as they also got downgraded with samba # yum downgrade samba -y .... Downloading Packages: (1/46): ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm (2/46): ipa-client-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm (3/46): ipa-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm (4/46): ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm (5/46): ipa-server-trust-ad-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm (6/46): python3-ipaclient-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm (7/46): python3-ipalib-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm (8/46): ipa-server-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm (9/46): python3-ipaserver-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm (10/46): libsss_autofs-2.5.2-2.el8_5.1.x86_64.rpm (11/46): libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm (12/46): libsmbclient-4.14.5-2.el8.x86_64.rpm (13/46): libsss_idmap-2.5.2-2.el8_5.1.x86_64.rpm (14/46): libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm (15/46): libsss_simpleifp-2.5.2-2.el8_5.1.x86_64.rpm (16/46): libsss_sudo-2.5.2-2.el8_5.1.x86_64.rpm (17/46): libsss_certmap-2.5.2-2.el8_5.1.x86_64.rpm (18/46): libwbclient-4.14.5-2.el8.x86_64.rpm (19/46): python3-libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm (20/46): python3-libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm (21/46): python3-sss-2.5.2-2.el8_5.1.x86_64.rpm (22/46): python3-sssdconfig-2.5.2-2.el8_5.1.noarch.rpm (23/46): samba-4.14.5-2.el8.x86_64.rpm (24/46): samba-client-4.14.5-2.el8.x86_64.rpm (25/46): samba-common-4.14.5-2.el8.noarch.rpm (26/46): samba-common-libs-4.14.5-2.el8.x86_64.rpm (27/46): python3-samba-4.14.5-2.el8.x86_64.rpm (28/46): samba-libs-4.14.5-2.el8.x86_64.rpm (29/46): samba-common-tools-4.14.5-2.el8.x86_64.rpm (30/46): samba-winbind-modules-4.14.5-2.el8.x86_64.rpm (31/46): samba-winbind-4.14.5-2.el8.x86_64.rpm (32/46): sssd-2.5.2-2.el8_5.1.x86_64.rpm (33/46): samba-client-libs-4.14.5-2.el8.x86_64.rpm (34/46): sssd-ad-2.5.2-2.el8_5.1.x86_64.rpm (35/46): sssd-client-2.5.2-2.el8_5.1.x86_64.rpm (36/46): sssd-common-pac-2.5.2-2.el8_5.1.x86_64.rpm (37/46): sssd-dbus-2.5.2-2.el8_5.1.x86_64.rpm (38/46): sssd-ipa-2.5.2-2.el8_5.1.x86_64.rpm (39/46): sssd-common-2.5.2-2.el8_5.1.x86_64.rpm (40/46): sssd-krb5-2.5.2-2.el8_5.1.x86_64.rpm (41/46): sssd-krb5-common-2.5.2-2.el8_5.1.x86_64.rpm (42/46): sssd-ldap-2.5.2-2.el8_5.1.x86_64.rpm (43/46): sssd-proxy-2.5.2-2.el8_5.1.x86_64.rpm (44/46): sssd-winbind-idmap-2.5.2-2.el8_5.1.x86_64.rpm (45/46): sssd-tools-2.5.2-2.el8_5.1.x86_64.rpm (46/46): sssd-nfs-idmap-2.5.2-2.el8_5.1.x86_64.rpm
Rowland Penny
2021-Dec-23 21:23 UTC
[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)
On Thu, 2021-12-23 at 22:15 +0100, Jelle de Jong via samba wrote:> On 12/23/21 1:02 PM, Jelle de Jong via samba wrote: > > Hello everybody, > > > > I had to downgrade samba on all my centos 8 systems this morning > > after > > an upgrade made caused kerberos logins to stop working. > > > > yum downgrade samba -y > > > > it also downgraded sssd packages but only downgrading sssd did not > > work. > > > > How do I debug this further and does anyone encountered the same > > problem > > and found a solution? > > > > Testing with the bellow command showed me: > > > > LC_ALL=C smbclient -d 10 -k -L samba01.organization.lan > > > > Starting GENSEC mechanism spnego > > Starting GENSEC submechanism gse_krb5 > > gensec_update_send: gse_krb5[0x5590f7bb38e0]: subreq: > > 0x5590f7baa280 > > gensec_update_send: spnego[0x5590f7bad880]: subreq: 0x5590f7bb2410 > > gensec_update_done: gse_krb5[0x5590f7bb38e0]: > > NT_STATUS_MORE_PROCESSING_REQUIRED > > tevent_req[0x5590f7baa280/../../source3/librpc/crypto/gse.c:848]: > > state[2] error[0 (0x0)] state[struct gensec_gse_update_state > > (0x5590f7baa430)] timer[(nil)] > > finish[../../source3/librpc/crypto/gse.c:859] > > gensec_update_done: spnego[0x5590f7bad880]: > > NT_STATUS_MORE_PROCESSING_REQUIRED > > tevent_req[0x5590f7bb2410/../../auth/gensec/spnego.c:1631]: > > state[2] > > error[0 (0x0)] state[struct gensec_spnego_update_state > > (0x5590f7bb25c0)] timer[(nil)] > > finish[../../auth/gensec/spnego.c:2116] > > SPNEGO login failed: The type of a token object is inappropriate > > for its > > attempted use. > > session setup failed: NT_STATUS_BAD_TOKEN_TYPE > > I went through the thread of Alex subject: [Samba] Authentication > issue > after updating samba on CentOS 7 (from yum) > > I updated the samba package to samba-4.14.5-7.el8_5.x86_64 and the > problem came back. > > I then tried the adding the following options: > local nt token from nss:DOMAIN = no > and > local nt token from nss:* = no > but they did not work. > > This is my global config: > > [global] > dedicated keytab file = FILE:/etc/samba/samba.keytab > disable spoolss = Yes > kerberos method = dedicated keytab > load printers = No > log file = /var/log/samba/%m.log > printcap name = /dev/null > realm = DOMAIN.LAN > security = USERI know that you are using sssd (and that is all I am going say on that), but 'security' should still be set to 'ADS' and winbind must be running. Rowland
Alex
2021-Dec-24 07:38 UTC
[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)
Hello Jelle,> @Alex did you contact Andreas Schneider the RH maintainer?Yes, I wrote him yesterday but no reply so far. It would be great if you also emailed him. High chances that would speed up resolution.> It can also be n issue related in one of the bellow packages as they also got downgraded with samba> # yum downgrade samba -y > .... > Downloading Packages: > (1/46): ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpmNot in my case - we don't use sssd. When I issue "yum downgrade" only the following packages affected: Downgrading: libsmbclient x86_64 4.10.16-15.el7_9 updates 145 k libwbclient x86_64 4.10.16-15.el7_9 updates 116 k samba x86_64 4.10.16-15.el7_9 updates 719 k samba-client x86_64 4.10.16-15.el7_9 updates 646 k samba-client-libs x86_64 4.10.16-15.el7_9 updates 5.0 M samba-common noarch 4.10.16-15.el7_9 updates 215 k samba-common-libs x86_64 4.10.16-15.el7_9 updates 182 k samba-common-tools x86_64 4.10.16-15.el7_9 updates 466 k samba-libs x86_64 4.10.16-15.el7_9 updates 271 k samba-winbind x86_64 4.10.16-15.el7_9 updates 560 k samba-winbind-clients x86_64 4.10.16-15.el7_9 updates 148 k samba-winbind-modules x86_64 4.10.16-15.el7_9 updates 123 k -- Best regards, Alex
Jelle de Jong
2022-Feb-14 16:22 UTC
[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)
Hello everybody, On 12/23/21 22:15, Jelle de Jong via samba wrote:> On 12/23/21 1:02 PM, Jelle de Jong via samba wrote: >> Hello everybody, >> >> I had to downgrade samba on all my centos 8 systems this morning after >> an upgrade made caused kerberos logins to stop working. >> >> yum downgrade samba -y >> >> it also downgraded sssd packages but only downgrading sssd did not work. >> >> How do I debug this further and does anyone encountered the same >> problem and found a solution? >> >> Testing with the bellow command showed me: >> >> LC_ALL=C smbclient -d 10 -k -L samba01.organization.lan >> >> Starting GENSEC mechanism spnego >> Starting GENSEC submechanism gse_krb5 >> gensec_update_send: gse_krb5[0x5590f7bb38e0]: subreq: 0x5590f7baa280 >> gensec_update_send: spnego[0x5590f7bad880]: subreq: 0x5590f7bb2410 >> gensec_update_done: gse_krb5[0x5590f7bb38e0]: >> NT_STATUS_MORE_PROCESSING_REQUIRED >> tevent_req[0x5590f7baa280/../../source3/librpc/crypto/gse.c:848]: >> state[2] error[0 (0x0)]? state[struct gensec_gse_update_state >> (0x5590f7baa430)] timer[(nil)] >> finish[../../source3/librpc/crypto/gse.c:859] >> gensec_update_done: spnego[0x5590f7bad880]: >> NT_STATUS_MORE_PROCESSING_REQUIRED >> tevent_req[0x5590f7bb2410/../../auth/gensec/spnego.c:1631]: state[2] >> error[0 (0x0)]? state[struct gensec_spnego_update_state >> (0x5590f7bb25c0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116] >> SPNEGO login failed: The type of a token object is inappropriate for >> its attempted use. >> session setup failed: NT_STATUS_BAD_TOKEN_TYPE > > I went through the thread of Alex subject: [Samba] Authentication issue > after updating samba on CentOS 7 (from yum) > > I updated the samba package to samba-4.14.5-7.el8_5.x86_64 and the > problem came back. > > I then tried the adding the following options: > local nt token from nss:DOMAIN = no > and > local nt token from nss:* = no > but they did not work. > > This is my global config: > > [global] > ????dedicated keytab file = FILE:/etc/samba/samba.keytab > ????disable spoolss = Yes > ????kerberos method = dedicated keytab > ????load printers = No > ????log file = /var/log/samba/%m.log > ????printcap name = /dev/null > ????realm = DOMAIN.LAN > ????security = USER > ????winbind refresh tickets = Yes > ????winbind use default domain = Yes > ????workgroup = DOMAIN > ????local nt token from nss:domain = no > ????idmap config * : backend = tdb > ????map acl inherit = Yes > ????printing = bsd > ????vfs objects = acl_xattr > > @Alex did you contact Andreas Schneider the RH maintainer? > > It can also be n issue related in one of the bellow packages as they > also got downgraded with samba > > # yum downgrade samba -y > .... > Downloading Packages: > (1/46): ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm > (2/46): ipa-client-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > (3/46): ipa-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > (4/46): ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm > (5/46): ipa-server-trust-ad-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm > (6/46): python3-ipaclient-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > (7/46): python3-ipalib-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > (8/46): ipa-server-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > (9/46): python3-ipaserver-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > (10/46): libsss_autofs-2.5.2-2.el8_5.1.x86_64.rpm > (11/46): libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm > (12/46): libsmbclient-4.14.5-2.el8.x86_64.rpm > (13/46): libsss_idmap-2.5.2-2.el8_5.1.x86_64.rpm > (14/46): libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm > (15/46): libsss_simpleifp-2.5.2-2.el8_5.1.x86_64.rpm > (16/46): libsss_sudo-2.5.2-2.el8_5.1.x86_64.rpm > (17/46): libsss_certmap-2.5.2-2.el8_5.1.x86_64.rpm > (18/46): libwbclient-4.14.5-2.el8.x86_64.rpm > (19/46): python3-libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm > (20/46): python3-libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm > (21/46): python3-sss-2.5.2-2.el8_5.1.x86_64.rpm > (22/46): python3-sssdconfig-2.5.2-2.el8_5.1.noarch.rpm > (23/46): samba-4.14.5-2.el8.x86_64.rpm > (24/46): samba-client-4.14.5-2.el8.x86_64.rpm > (25/46): samba-common-4.14.5-2.el8.noarch.rpm > (26/46): samba-common-libs-4.14.5-2.el8.x86_64.rpm > (27/46): python3-samba-4.14.5-2.el8.x86_64.rpm > (28/46): samba-libs-4.14.5-2.el8.x86_64.rpm > (29/46): samba-common-tools-4.14.5-2.el8.x86_64.rpm > (30/46): samba-winbind-modules-4.14.5-2.el8.x86_64.rpm > (31/46): samba-winbind-4.14.5-2.el8.x86_64.rpm > (32/46): sssd-2.5.2-2.el8_5.1.x86_64.rpm > (33/46): samba-client-libs-4.14.5-2.el8.x86_64.rpm > (34/46): sssd-ad-2.5.2-2.el8_5.1.x86_64.rpm > (35/46): sssd-client-2.5.2-2.el8_5.1.x86_64.rpm > (36/46): sssd-common-pac-2.5.2-2.el8_5.1.x86_64.rpm > (37/46): sssd-dbus-2.5.2-2.el8_5.1.x86_64.rpm > (38/46): sssd-ipa-2.5.2-2.el8_5.1.x86_64.rpm > (39/46): sssd-common-2.5.2-2.el8_5.1.x86_64.rpm > (40/46): sssd-krb5-2.5.2-2.el8_5.1.x86_64.rpm > (41/46): sssd-krb5-common-2.5.2-2.el8_5.1.x86_64.rpm > (42/46): sssd-ldap-2.5.2-2.el8_5.1.x86_64.rpm > (43/46): sssd-proxy-2.5.2-2.el8_5.1.x86_64.rpm > (44/46): sssd-winbind-idmap-2.5.2-2.el8_5.1.x86_64.rpm > (45/46): sssd-tools-2.5.2-2.el8_5.1.x86_64.rpm > (46/46): sssd-nfs-idmap-2.5.2-2.el8_5.1.x86_64.rpmI wanted to ask if anyone found a solution to kerberos auth breaking with samba on centos / centos stream 8. I had to upgrade many systems to stream 8 and had to downgrade samba sevral times to have a working setup. Downgraded: ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64 ipa-client-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch ipa-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64 ipa-server-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch ipa-server-trust-ad-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64 libipa_hbac-2.5.2-2.el8_5.1.x86_64 libsmbclient-4.14.5-2.el8.x86_64 libsss_autofs-2.5.2-2.el8_5.1.x86_64 libsss_certmap-2.5.2-2.el8_5.1.x86_64 libsss_idmap-2.5.2-2.el8_5.1.x86_64 libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64 libsss_simpleifp-2.5.2-2.el8_5.1.x86_64 libsss_sudo-2.5.2-2.el8_5.1.x86_64 libwbclient-4.14.5-2.el8.x86_64 python3-ipaclient-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch python3-ipalib-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch python3-ipaserver-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch python3-libipa_hbac-2.5.2-2.el8_5.1.x86_64 python3-libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64 python3-samba-4.14.5-2.el8.x86_64 python3-sss-2.5.2-2.el8_5.1.x86_64 python3-sssdconfig-2.5.2-2.el8_5.1.noarch realmd-0.16.3-23.el8.x86_64 samba-4.14.5-2.el8.x86_64 samba-client-4.14.5-2.el8.x86_64 samba-client-libs-4.14.5-2.el8.x86_64 samba-common-4.14.5-2.el8.noarch samba-common-libs-4.14.5-2.el8.x86_64 samba-common-tools-4.14.5-2.el8.x86_64 samba-libs-4.14.5-2.el8.x86_64 samba-winbind-4.14.5-2.el8.x86_64 samba-winbind-modules-4.14.5-2.el8.x86_64 sssd-2.5.2-2.el8_5.1.x86_64 sssd-ad-2.5.2-2.el8_5.1.x86_64 sssd-client-2.5.2-2.el8_5.1.x86_64 sssd-common-2.5.2-2.el8_5.1.x86_64 sssd-common-pac-2.5.2-2.el8_5.1.x86_64 sssd-dbus-2.5.2-2.el8_5.1.x86_64 sssd-ipa-2.5.2-2.el8_5.1.x86_64 sssd-krb5-2.5.2-2.el8_5.1.x86_64 sssd-krb5-common-2.5.2-2.el8_5.1.x86_64 sssd-ldap-2.5.2-2.el8_5.1.x86_64 sssd-nfs-idmap-2.5.2-2.el8_5.1.x86_64 sssd-proxy-2.5.2-2.el8_5.1.x86_64 sssd-tools-2.5.2-2.el8_5.1.x86_64 sssd-winbind-idmap-2.5.2-2.el8_5.1.x86_64 Complete!