Jelle de Jong
2022-Feb-14 16:22 UTC
[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)
Hello everybody, On 12/23/21 22:15, Jelle de Jong via samba wrote:> On 12/23/21 1:02 PM, Jelle de Jong via samba wrote: >> Hello everybody, >> >> I had to downgrade samba on all my centos 8 systems this morning after >> an upgrade made caused kerberos logins to stop working. >> >> yum downgrade samba -y >> >> it also downgraded sssd packages but only downgrading sssd did not work. >> >> How do I debug this further and does anyone encountered the same >> problem and found a solution? >> >> Testing with the bellow command showed me: >> >> LC_ALL=C smbclient -d 10 -k -L samba01.organization.lan >> >> Starting GENSEC mechanism spnego >> Starting GENSEC submechanism gse_krb5 >> gensec_update_send: gse_krb5[0x5590f7bb38e0]: subreq: 0x5590f7baa280 >> gensec_update_send: spnego[0x5590f7bad880]: subreq: 0x5590f7bb2410 >> gensec_update_done: gse_krb5[0x5590f7bb38e0]: >> NT_STATUS_MORE_PROCESSING_REQUIRED >> tevent_req[0x5590f7baa280/../../source3/librpc/crypto/gse.c:848]: >> state[2] error[0 (0x0)]? state[struct gensec_gse_update_state >> (0x5590f7baa430)] timer[(nil)] >> finish[../../source3/librpc/crypto/gse.c:859] >> gensec_update_done: spnego[0x5590f7bad880]: >> NT_STATUS_MORE_PROCESSING_REQUIRED >> tevent_req[0x5590f7bb2410/../../auth/gensec/spnego.c:1631]: state[2] >> error[0 (0x0)]? state[struct gensec_spnego_update_state >> (0x5590f7bb25c0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116] >> SPNEGO login failed: The type of a token object is inappropriate for >> its attempted use. >> session setup failed: NT_STATUS_BAD_TOKEN_TYPE > > I went through the thread of Alex subject: [Samba] Authentication issue > after updating samba on CentOS 7 (from yum) > > I updated the samba package to samba-4.14.5-7.el8_5.x86_64 and the > problem came back. > > I then tried the adding the following options: > local nt token from nss:DOMAIN = no > and > local nt token from nss:* = no > but they did not work. > > This is my global config: > > [global] > ????dedicated keytab file = FILE:/etc/samba/samba.keytab > ????disable spoolss = Yes > ????kerberos method = dedicated keytab > ????load printers = No > ????log file = /var/log/samba/%m.log > ????printcap name = /dev/null > ????realm = DOMAIN.LAN > ????security = USER > ????winbind refresh tickets = Yes > ????winbind use default domain = Yes > ????workgroup = DOMAIN > ????local nt token from nss:domain = no > ????idmap config * : backend = tdb > ????map acl inherit = Yes > ????printing = bsd > ????vfs objects = acl_xattr > > @Alex did you contact Andreas Schneider the RH maintainer? > > It can also be n issue related in one of the bellow packages as they > also got downgraded with samba > > # yum downgrade samba -y > .... > Downloading Packages: > (1/46): ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm > (2/46): ipa-client-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > (3/46): ipa-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > (4/46): ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm > (5/46): ipa-server-trust-ad-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm > (6/46): python3-ipaclient-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > (7/46): python3-ipalib-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > (8/46): ipa-server-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > (9/46): python3-ipaserver-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > (10/46): libsss_autofs-2.5.2-2.el8_5.1.x86_64.rpm > (11/46): libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm > (12/46): libsmbclient-4.14.5-2.el8.x86_64.rpm > (13/46): libsss_idmap-2.5.2-2.el8_5.1.x86_64.rpm > (14/46): libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm > (15/46): libsss_simpleifp-2.5.2-2.el8_5.1.x86_64.rpm > (16/46): libsss_sudo-2.5.2-2.el8_5.1.x86_64.rpm > (17/46): libsss_certmap-2.5.2-2.el8_5.1.x86_64.rpm > (18/46): libwbclient-4.14.5-2.el8.x86_64.rpm > (19/46): python3-libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm > (20/46): python3-libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm > (21/46): python3-sss-2.5.2-2.el8_5.1.x86_64.rpm > (22/46): python3-sssdconfig-2.5.2-2.el8_5.1.noarch.rpm > (23/46): samba-4.14.5-2.el8.x86_64.rpm > (24/46): samba-client-4.14.5-2.el8.x86_64.rpm > (25/46): samba-common-4.14.5-2.el8.noarch.rpm > (26/46): samba-common-libs-4.14.5-2.el8.x86_64.rpm > (27/46): python3-samba-4.14.5-2.el8.x86_64.rpm > (28/46): samba-libs-4.14.5-2.el8.x86_64.rpm > (29/46): samba-common-tools-4.14.5-2.el8.x86_64.rpm > (30/46): samba-winbind-modules-4.14.5-2.el8.x86_64.rpm > (31/46): samba-winbind-4.14.5-2.el8.x86_64.rpm > (32/46): sssd-2.5.2-2.el8_5.1.x86_64.rpm > (33/46): samba-client-libs-4.14.5-2.el8.x86_64.rpm > (34/46): sssd-ad-2.5.2-2.el8_5.1.x86_64.rpm > (35/46): sssd-client-2.5.2-2.el8_5.1.x86_64.rpm > (36/46): sssd-common-pac-2.5.2-2.el8_5.1.x86_64.rpm > (37/46): sssd-dbus-2.5.2-2.el8_5.1.x86_64.rpm > (38/46): sssd-ipa-2.5.2-2.el8_5.1.x86_64.rpm > (39/46): sssd-common-2.5.2-2.el8_5.1.x86_64.rpm > (40/46): sssd-krb5-2.5.2-2.el8_5.1.x86_64.rpm > (41/46): sssd-krb5-common-2.5.2-2.el8_5.1.x86_64.rpm > (42/46): sssd-ldap-2.5.2-2.el8_5.1.x86_64.rpm > (43/46): sssd-proxy-2.5.2-2.el8_5.1.x86_64.rpm > (44/46): sssd-winbind-idmap-2.5.2-2.el8_5.1.x86_64.rpm > (45/46): sssd-tools-2.5.2-2.el8_5.1.x86_64.rpm > (46/46): sssd-nfs-idmap-2.5.2-2.el8_5.1.x86_64.rpmI wanted to ask if anyone found a solution to kerberos auth breaking with samba on centos / centos stream 8. I had to upgrade many systems to stream 8 and had to downgrade samba sevral times to have a working setup. Downgraded: ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64 ipa-client-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch ipa-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64 ipa-server-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch ipa-server-trust-ad-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64 libipa_hbac-2.5.2-2.el8_5.1.x86_64 libsmbclient-4.14.5-2.el8.x86_64 libsss_autofs-2.5.2-2.el8_5.1.x86_64 libsss_certmap-2.5.2-2.el8_5.1.x86_64 libsss_idmap-2.5.2-2.el8_5.1.x86_64 libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64 libsss_simpleifp-2.5.2-2.el8_5.1.x86_64 libsss_sudo-2.5.2-2.el8_5.1.x86_64 libwbclient-4.14.5-2.el8.x86_64 python3-ipaclient-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch python3-ipalib-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch python3-ipaserver-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch python3-libipa_hbac-2.5.2-2.el8_5.1.x86_64 python3-libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64 python3-samba-4.14.5-2.el8.x86_64 python3-sss-2.5.2-2.el8_5.1.x86_64 python3-sssdconfig-2.5.2-2.el8_5.1.noarch realmd-0.16.3-23.el8.x86_64 samba-4.14.5-2.el8.x86_64 samba-client-4.14.5-2.el8.x86_64 samba-client-libs-4.14.5-2.el8.x86_64 samba-common-4.14.5-2.el8.noarch samba-common-libs-4.14.5-2.el8.x86_64 samba-common-tools-4.14.5-2.el8.x86_64 samba-libs-4.14.5-2.el8.x86_64 samba-winbind-4.14.5-2.el8.x86_64 samba-winbind-modules-4.14.5-2.el8.x86_64 sssd-2.5.2-2.el8_5.1.x86_64 sssd-ad-2.5.2-2.el8_5.1.x86_64 sssd-client-2.5.2-2.el8_5.1.x86_64 sssd-common-2.5.2-2.el8_5.1.x86_64 sssd-common-pac-2.5.2-2.el8_5.1.x86_64 sssd-dbus-2.5.2-2.el8_5.1.x86_64 sssd-ipa-2.5.2-2.el8_5.1.x86_64 sssd-krb5-2.5.2-2.el8_5.1.x86_64 sssd-krb5-common-2.5.2-2.el8_5.1.x86_64 sssd-ldap-2.5.2-2.el8_5.1.x86_64 sssd-nfs-idmap-2.5.2-2.el8_5.1.x86_64 sssd-proxy-2.5.2-2.el8_5.1.x86_64 sssd-tools-2.5.2-2.el8_5.1.x86_64 sssd-winbind-idmap-2.5.2-2.el8_5.1.x86_64 Complete!
Rowland Penny
2022-Feb-14 16:37 UTC
[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)
On Mon, 2022-02-14 at 17:22 +0100, Jelle de Jong via samba wrote:> Hello everybody, > > On 12/23/21 22:15, Jelle de Jong via samba wrote: > > On 12/23/21 1:02 PM, Jelle de Jong via samba wrote: > > > Hello everybody, > > > > > > I had to downgrade samba on all my centos 8 systems this morning > > > after > > > an upgrade made caused kerberos logins to stop working. > > > > > > yum downgrade samba -y > > > > > > it also downgraded sssd packages but only downgrading sssd did > > > not work. > > > > > > How do I debug this further and does anyone encountered the same > > > problem and found a solution? > > > > > > Testing with the bellow command showed me: > > > > > > LC_ALL=C smbclient -d 10 -k -L samba01.organization.lan > > > > > > Starting GENSEC mechanism spnego > > > Starting GENSEC submechanism gse_krb5 > > > gensec_update_send: gse_krb5[0x5590f7bb38e0]: subreq: > > > 0x5590f7baa280 > > > gensec_update_send: spnego[0x5590f7bad880]: subreq: > > > 0x5590f7bb2410 > > > gensec_update_done: gse_krb5[0x5590f7bb38e0]: > > > NT_STATUS_MORE_PROCESSING_REQUIRED > > > tevent_req[0x5590f7baa280/../../source3/librpc/crypto/gse.c:848]: > > > > > > state[2] error[0 (0x0)] state[struct gensec_gse_update_state > > > (0x5590f7baa430)] timer[(nil)] > > > finish[../../source3/librpc/crypto/gse.c:859] > > > gensec_update_done: spnego[0x5590f7bad880]: > > > NT_STATUS_MORE_PROCESSING_REQUIRED > > > tevent_req[0x5590f7bb2410/../../auth/gensec/spnego.c:1631]: > > > state[2] > > > error[0 (0x0)] state[struct gensec_spnego_update_state > > > (0x5590f7bb25c0)] timer[(nil)] > > > finish[../../auth/gensec/spnego.c:2116] > > > SPNEGO login failed: The type of a token object is inappropriate > > > for > > > its attempted use. > > > session setup failed: NT_STATUS_BAD_TOKEN_TYPE > > > > I went through the thread of Alex subject: [Samba] Authentication > > issue > > after updating samba on CentOS 7 (from yum) > > > > I updated the samba package to samba-4.14.5-7.el8_5.x86_64 and the > > problem came back. > > > > I then tried the adding the following options: > > local nt token from nss:DOMAIN = no > > and > > local nt token from nss:* = no > > but they did not work. > > > > This is my global config: > > > > [global] > > dedicated keytab file = FILE:/etc/samba/samba.keytab > > disable spoolss = Yes > > kerberos method = dedicated keytab > > load printers = No > > log file = /var/log/samba/%m.log > > printcap name = /dev/null > > realm = DOMAIN.LAN > > security = USER > > winbind refresh tickets = Yes > > winbind use default domain = Yes > > workgroup = DOMAIN > > local nt token from nss:domain = no > > idmap config * : backend = tdb > > map acl inherit = Yes > > printing = bsd > > vfs objects = acl_xattr > > > > @Alex did you contact Andreas Schneider the RH maintainer? > > > > It can also be n issue related in one of the bellow packages as > > they > > also got downgraded with samba > > > > # yum downgrade samba -y > > .... > > Downloading Packages: > > (1/46): ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm > > (2/46): ipa-client-common-4.9.6- > > 6.module_el8.5.0+948+b8187ba6.noarch.rpm > > (3/46): ipa-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > > (4/46): ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm > > (5/46): ipa-server-trust-ad-4.9.6- > > 6.module_el8.5.0+948+b8187ba6.x86_64.rpm > > (6/46): python3-ipaclient-4.9.6- > > 6.module_el8.5.0+948+b8187ba6.noarch.rpm > > (7/46): python3-ipalib-4.9.6- > > 6.module_el8.5.0+948+b8187ba6.noarch.rpm > > (8/46): ipa-server-common-4.9.6- > > 6.module_el8.5.0+948+b8187ba6.noarch.rpm > > (9/46): python3-ipaserver-4.9.6- > > 6.module_el8.5.0+948+b8187ba6.noarch.rpm > > (10/46): libsss_autofs-2.5.2-2.el8_5.1.x86_64.rpm > > (11/46): libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm > > (12/46): libsmbclient-4.14.5-2.el8.x86_64.rpm > > (13/46): libsss_idmap-2.5.2-2.el8_5.1.x86_64.rpm > > (14/46): libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm > > (15/46): libsss_simpleifp-2.5.2-2.el8_5.1.x86_64.rpm > > (16/46): libsss_sudo-2.5.2-2.el8_5.1.x86_64.rpm > > (17/46): libsss_certmap-2.5.2-2.el8_5.1.x86_64.rpm > > (18/46): libwbclient-4.14.5-2.el8.x86_64.rpm > > (19/46): python3-libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm > > (20/46): python3-libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm > > (21/46): python3-sss-2.5.2-2.el8_5.1.x86_64.rpm > > (22/46): python3-sssdconfig-2.5.2-2.el8_5.1.noarch.rpm > > (23/46): samba-4.14.5-2.el8.x86_64.rpm > > (24/46): samba-client-4.14.5-2.el8.x86_64.rpm > > (25/46): samba-common-4.14.5-2.el8.noarch.rpm > > (26/46): samba-common-libs-4.14.5-2.el8.x86_64.rpm > > (27/46): python3-samba-4.14.5-2.el8.x86_64.rpm > > (28/46): samba-libs-4.14.5-2.el8.x86_64.rpm > > (29/46): samba-common-tools-4.14.5-2.el8.x86_64.rpm > > (30/46): samba-winbind-modules-4.14.5-2.el8.x86_64.rpm > > (31/46): samba-winbind-4.14.5-2.el8.x86_64.rpm > > (32/46): sssd-2.5.2-2.el8_5.1.x86_64.rpm > > (33/46): samba-client-libs-4.14.5-2.el8.x86_64.rpm > > (34/46): sssd-ad-2.5.2-2.el8_5.1.x86_64.rpm > > (35/46): sssd-client-2.5.2-2.el8_5.1.x86_64.rpm > > (36/46): sssd-common-pac-2.5.2-2.el8_5.1.x86_64.rpm > > (37/46): sssd-dbus-2.5.2-2.el8_5.1.x86_64.rpm > > (38/46): sssd-ipa-2.5.2-2.el8_5.1.x86_64.rpm > > (39/46): sssd-common-2.5.2-2.el8_5.1.x86_64.rpm > > (40/46): sssd-krb5-2.5.2-2.el8_5.1.x86_64.rpm > > (41/46): sssd-krb5-common-2.5.2-2.el8_5.1.x86_64.rpm > > (42/46): sssd-ldap-2.5.2-2.el8_5.1.x86_64.rpm > > (43/46): sssd-proxy-2.5.2-2.el8_5.1.x86_64.rpm > > (44/46): sssd-winbind-idmap-2.5.2-2.el8_5.1.x86_64.rpm > > (45/46): sssd-tools-2.5.2-2.el8_5.1.x86_64.rpm > > (46/46): sssd-nfs-idmap-2.5.2-2.el8_5.1.x86_64.rpm > > I wanted to ask if anyone found a solution to kerberos auth breaking > with samba on centos / centos stream 8.Have you considered that this may be a redhat problem, seeing as three quarters of the packages are redhat ones ? This may be an interaction between the redhat packages and the Samba ones are working correctly. Rowland
Ahti Seier
2022-Feb-14 16:42 UTC
[Samba] SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)
Hello, Well, that error will occur if security = user and user tries to authenticate with a kerberos service ticket where a PAC is present. This happens for example when freeIPA is in a trust relationship with AD. FreeIPA by default will copy users PAC into service ticket. If this is the case for you there are a few possibilities: 1. in freeIPA find the cifs/yourhostname service and disable adding the PAC, 2: join samba to freeipa: in (RHEL 8 there is "ipa-client-samba" package which makes this easier): https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm . Kontakt Jelle de Jong via samba (<samba at lists.samba.org>) kirjutas kuup?eval E, 14. veebruar 2022 kell 18:24:> Hello everybody, > > On 12/23/21 22:15, Jelle de Jong via samba wrote: > > On 12/23/21 1:02 PM, Jelle de Jong via samba wrote: > >> Hello everybody, > >> > >> I had to downgrade samba on all my centos 8 systems this morning after > >> an upgrade made caused kerberos logins to stop working. > >> > >> yum downgrade samba -y > >> > >> it also downgraded sssd packages but only downgrading sssd did not work. > >> > >> How do I debug this further and does anyone encountered the same > >> problem and found a solution? > >> > >> Testing with the bellow command showed me: > >> > >> LC_ALL=C smbclient -d 10 -k -L samba01.organization.lan > >> > >> Starting GENSEC mechanism spnego > >> Starting GENSEC submechanism gse_krb5 > >> gensec_update_send: gse_krb5[0x5590f7bb38e0]: subreq: 0x5590f7baa280 > >> gensec_update_send: spnego[0x5590f7bad880]: subreq: 0x5590f7bb2410 > >> gensec_update_done: gse_krb5[0x5590f7bb38e0]: > >> NT_STATUS_MORE_PROCESSING_REQUIRED > >> tevent_req[0x5590f7baa280/../../source3/librpc/crypto/gse.c:848]: > >> state[2] error[0 (0x0)] state[struct gensec_gse_update_state > >> (0x5590f7baa430)] timer[(nil)] > >> finish[../../source3/librpc/crypto/gse.c:859] > >> gensec_update_done: spnego[0x5590f7bad880]: > >> NT_STATUS_MORE_PROCESSING_REQUIRED > >> tevent_req[0x5590f7bb2410/../../auth/gensec/spnego.c:1631]: state[2] > >> error[0 (0x0)] state[struct gensec_spnego_update_state > >> (0x5590f7bb25c0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116] > >> SPNEGO login failed: The type of a token object is inappropriate for > >> its attempted use. > >> session setup failed: NT_STATUS_BAD_TOKEN_TYPE > > > > I went through the thread of Alex subject: [Samba] Authentication issue > > after updating samba on CentOS 7 (from yum) > > > > I updated the samba package to samba-4.14.5-7.el8_5.x86_64 and the > > problem came back. > > > > I then tried the adding the following options: > > local nt token from nss:DOMAIN = no > > and > > local nt token from nss:* = no > > but they did not work. > > > > This is my global config: > > > > [global] > > dedicated keytab file = FILE:/etc/samba/samba.keytab > > disable spoolss = Yes > > kerberos method = dedicated keytab > > load printers = No > > log file = /var/log/samba/%m.log > > printcap name = /dev/null > > realm = DOMAIN.LAN > > security = USER > > winbind refresh tickets = Yes > > winbind use default domain = Yes > > workgroup = DOMAIN > > local nt token from nss:domain = no > > idmap config * : backend = tdb > > map acl inherit = Yes > > printing = bsd > > vfs objects = acl_xattr > > > > @Alex did you contact Andreas Schneider the RH maintainer? > > > > It can also be n issue related in one of the bellow packages as they > > also got downgraded with samba > > > > # yum downgrade samba -y > > .... > > Downloading Packages: > > (1/46): ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm > > (2/46): ipa-client-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > > (3/46): ipa-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > > (4/46): ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm > > (5/46): > ipa-server-trust-ad-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm > > (6/46): python3-ipaclient-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > > (7/46): python3-ipalib-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > > (8/46): ipa-server-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > > (9/46): python3-ipaserver-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm > > (10/46): libsss_autofs-2.5.2-2.el8_5.1.x86_64.rpm > > (11/46): libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm > > (12/46): libsmbclient-4.14.5-2.el8.x86_64.rpm > > (13/46): libsss_idmap-2.5.2-2.el8_5.1.x86_64.rpm > > (14/46): libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm > > (15/46): libsss_simpleifp-2.5.2-2.el8_5.1.x86_64.rpm > > (16/46): libsss_sudo-2.5.2-2.el8_5.1.x86_64.rpm > > (17/46): libsss_certmap-2.5.2-2.el8_5.1.x86_64.rpm > > (18/46): libwbclient-4.14.5-2.el8.x86_64.rpm > > (19/46): python3-libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm > > (20/46): python3-libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm > > (21/46): python3-sss-2.5.2-2.el8_5.1.x86_64.rpm > > (22/46): python3-sssdconfig-2.5.2-2.el8_5.1.noarch.rpm > > (23/46): samba-4.14.5-2.el8.x86_64.rpm > > (24/46): samba-client-4.14.5-2.el8.x86_64.rpm > > (25/46): samba-common-4.14.5-2.el8.noarch.rpm > > (26/46): samba-common-libs-4.14.5-2.el8.x86_64.rpm > > (27/46): python3-samba-4.14.5-2.el8.x86_64.rpm > > (28/46): samba-libs-4.14.5-2.el8.x86_64.rpm > > (29/46): samba-common-tools-4.14.5-2.el8.x86_64.rpm > > (30/46): samba-winbind-modules-4.14.5-2.el8.x86_64.rpm > > (31/46): samba-winbind-4.14.5-2.el8.x86_64.rpm > > (32/46): sssd-2.5.2-2.el8_5.1.x86_64.rpm > > (33/46): samba-client-libs-4.14.5-2.el8.x86_64.rpm > > (34/46): sssd-ad-2.5.2-2.el8_5.1.x86_64.rpm > > (35/46): sssd-client-2.5.2-2.el8_5.1.x86_64.rpm > > (36/46): sssd-common-pac-2.5.2-2.el8_5.1.x86_64.rpm > > (37/46): sssd-dbus-2.5.2-2.el8_5.1.x86_64.rpm > > (38/46): sssd-ipa-2.5.2-2.el8_5.1.x86_64.rpm > > (39/46): sssd-common-2.5.2-2.el8_5.1.x86_64.rpm > > (40/46): sssd-krb5-2.5.2-2.el8_5.1.x86_64.rpm > > (41/46): sssd-krb5-common-2.5.2-2.el8_5.1.x86_64.rpm > > (42/46): sssd-ldap-2.5.2-2.el8_5.1.x86_64.rpm > > (43/46): sssd-proxy-2.5.2-2.el8_5.1.x86_64.rpm > > (44/46): sssd-winbind-idmap-2.5.2-2.el8_5.1.x86_64.rpm > > (45/46): sssd-tools-2.5.2-2.el8_5.1.x86_64.rpm > > (46/46): sssd-nfs-idmap-2.5.2-2.el8_5.1.x86_64.rpm > > I wanted to ask if anyone found a solution to kerberos auth breaking > with samba on centos / centos stream 8. > > I had to upgrade many systems to stream 8 and had to downgrade samba > sevral times to have a working setup. > > Downgraded: > ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64 > ipa-client-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch > ipa-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch > > ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64 > ipa-server-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch > > ipa-server-trust-ad-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64 > > libipa_hbac-2.5.2-2.el8_5.1.x86_64 > libsmbclient-4.14.5-2.el8.x86_64 > libsss_autofs-2.5.2-2.el8_5.1.x86_64 > > libsss_certmap-2.5.2-2.el8_5.1.x86_64 > libsss_idmap-2.5.2-2.el8_5.1.x86_64 > libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64 > > libsss_simpleifp-2.5.2-2.el8_5.1.x86_64 > libsss_sudo-2.5.2-2.el8_5.1.x86_64 > libwbclient-4.14.5-2.el8.x86_64 > > python3-ipaclient-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch > python3-ipalib-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch > > python3-ipaserver-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch > > python3-libipa_hbac-2.5.2-2.el8_5.1.x86_64 > python3-libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64 > python3-samba-4.14.5-2.el8.x86_64 > > python3-sss-2.5.2-2.el8_5.1.x86_64 > python3-sssdconfig-2.5.2-2.el8_5.1.noarch > realmd-0.16.3-23.el8.x86_64 > > samba-4.14.5-2.el8.x86_64 > samba-client-4.14.5-2.el8.x86_64 > samba-client-libs-4.14.5-2.el8.x86_64 > > samba-common-4.14.5-2.el8.noarch > samba-common-libs-4.14.5-2.el8.x86_64 > samba-common-tools-4.14.5-2.el8.x86_64 > > samba-libs-4.14.5-2.el8.x86_64 > samba-winbind-4.14.5-2.el8.x86_64 > samba-winbind-modules-4.14.5-2.el8.x86_64 > > sssd-2.5.2-2.el8_5.1.x86_64 > sssd-ad-2.5.2-2.el8_5.1.x86_64 > sssd-client-2.5.2-2.el8_5.1.x86_64 > > sssd-common-2.5.2-2.el8_5.1.x86_64 > sssd-common-pac-2.5.2-2.el8_5.1.x86_64 > sssd-dbus-2.5.2-2.el8_5.1.x86_64 > > sssd-ipa-2.5.2-2.el8_5.1.x86_64 > sssd-krb5-2.5.2-2.el8_5.1.x86_64 > sssd-krb5-common-2.5.2-2.el8_5.1.x86_64 > > sssd-ldap-2.5.2-2.el8_5.1.x86_64 > sssd-nfs-idmap-2.5.2-2.el8_5.1.x86_64 > sssd-proxy-2.5.2-2.el8_5.1.x86_64 > > sssd-tools-2.5.2-2.el8_5.1.x86_64 > sssd-winbind-idmap-2.5.2-2.el8_5.1.x86_64 > > > Complete! > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >