samba - Feb 2022 - SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)

Hello,

  Well, that error will occur if security = user and user tries to
authenticate with a kerberos service ticket where a PAC is present. This
happens for example when freeIPA is in a trust relationship with AD.
FreeIPA by default will copy users PAC into service ticket. If this is the
case for you there are a few possibilities: 1. in freeIPA find the
cifs/yourhostname service and disable adding the PAC, 2: join samba to
freeipa: in (RHEL 8 there is "ipa-client-samba" package which makes
this
easier):
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm
.

Kontakt Jelle de Jong via samba (<samba at lists.samba.org>) kirjutas
kuup?eval E, 14. veebruar 2022 kell 18:24:
> Hello everybody,
>
> On 12/23/21 22:15, Jelle de Jong via samba wrote:
> > On 12/23/21 1:02 PM, Jelle de Jong via samba wrote:
> >> Hello everybody,
> >>
> >> I had to downgrade samba on all my centos 8 systems this morning
after
> >> an upgrade made caused kerberos logins to stop working.
> >>
> >> yum downgrade samba -y
> >>
> >> it also downgraded sssd packages but only downgrading sssd did not
work.
> >>
> >> How do I debug this further and does anyone encountered the same
> >> problem and found a solution?
> >>
> >> Testing with the bellow command showed me:
> >>
> >> LC_ALL=C smbclient -d 10 -k -L samba01.organization.lan
> >>
> >> Starting GENSEC mechanism spnego
> >> Starting GENSEC submechanism gse_krb5
> >> gensec_update_send: gse_krb5[0x5590f7bb38e0]: subreq:
0x5590f7baa280
> >> gensec_update_send: spnego[0x5590f7bad880]: subreq: 0x5590f7bb2410
> >> gensec_update_done: gse_krb5[0x5590f7bb38e0]:
> >> NT_STATUS_MORE_PROCESSING_REQUIRED
> >> tevent_req[0x5590f7baa280/../../source3/librpc/crypto/gse.c:848]:
> >> state[2] error[0 (0x0)]  state[struct gensec_gse_update_state
> >> (0x5590f7baa430)] timer[(nil)]
> >> finish[../../source3/librpc/crypto/gse.c:859]
> >> gensec_update_done: spnego[0x5590f7bad880]:
> >> NT_STATUS_MORE_PROCESSING_REQUIRED
> >> tevent_req[0x5590f7bb2410/../../auth/gensec/spnego.c:1631]:
state[2]
> >> error[0 (0x0)]  state[struct gensec_spnego_update_state
> >> (0x5590f7bb25c0)] timer[(nil)]
finish[../../auth/gensec/spnego.c:2116]
> >> SPNEGO login failed: The type of a token object is inappropriate
for
> >> its attempted use.
> >> session setup failed: NT_STATUS_BAD_TOKEN_TYPE
> >
> > I went through the thread of Alex subject: [Samba] Authentication
issue
> > after updating samba on CentOS 7 (from yum)
> >
> > I updated the samba package to samba-4.14.5-7.el8_5.x86_64 and the
> > problem came back.
> >
> > I then tried the adding the following options:
> > local nt token from nss:DOMAIN = no
> > and
> > local nt token from nss:* = no
> > but they did not work.
> >
> > This is my global config:
> >
> > [global]
> >      dedicated keytab file = FILE:/etc/samba/samba.keytab
> >      disable spoolss = Yes
> >      kerberos method = dedicated keytab
> >      load printers = No
> >      log file = /var/log/samba/%m.log
> >      printcap name = /dev/null
> >      realm = DOMAIN.LAN
> >      security = USER
> >      winbind refresh tickets = Yes
> >      winbind use default domain = Yes
> >      workgroup = DOMAIN
> >      local nt token from nss:domain = no
> >      idmap config * : backend = tdb
> >      map acl inherit = Yes
> >      printing = bsd
> >      vfs objects = acl_xattr
> >
> > @Alex did you contact Andreas Schneider the RH maintainer?
> >
> > It can also be n issue related in one of the bellow packages as they
> > also got downgraded with samba
> >
> > # yum downgrade samba -y
> > ....
> > Downloading Packages:
> > (1/46): ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm
> > (2/46):
ipa-client-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> > (3/46): ipa-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> > (4/46): ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm
> > (5/46):
> ipa-server-trust-ad-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64.rpm
> > (6/46):
python3-ipaclient-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> > (7/46): python3-ipalib-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> > (8/46):
ipa-server-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> > (9/46):
python3-ipaserver-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch.rpm
> > (10/46): libsss_autofs-2.5.2-2.el8_5.1.x86_64.rpm
> > (11/46): libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm
> > (12/46): libsmbclient-4.14.5-2.el8.x86_64.rpm
> > (13/46): libsss_idmap-2.5.2-2.el8_5.1.x86_64.rpm
> > (14/46): libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm
> > (15/46): libsss_simpleifp-2.5.2-2.el8_5.1.x86_64.rpm
> > (16/46): libsss_sudo-2.5.2-2.el8_5.1.x86_64.rpm
> > (17/46): libsss_certmap-2.5.2-2.el8_5.1.x86_64.rpm
> > (18/46): libwbclient-4.14.5-2.el8.x86_64.rpm
> > (19/46): python3-libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64.rpm
> > (20/46): python3-libipa_hbac-2.5.2-2.el8_5.1.x86_64.rpm
> > (21/46): python3-sss-2.5.2-2.el8_5.1.x86_64.rpm
> > (22/46): python3-sssdconfig-2.5.2-2.el8_5.1.noarch.rpm
> > (23/46): samba-4.14.5-2.el8.x86_64.rpm
> > (24/46): samba-client-4.14.5-2.el8.x86_64.rpm
> > (25/46): samba-common-4.14.5-2.el8.noarch.rpm
> > (26/46): samba-common-libs-4.14.5-2.el8.x86_64.rpm
> > (27/46): python3-samba-4.14.5-2.el8.x86_64.rpm
> > (28/46): samba-libs-4.14.5-2.el8.x86_64.rpm
> > (29/46): samba-common-tools-4.14.5-2.el8.x86_64.rpm
> > (30/46): samba-winbind-modules-4.14.5-2.el8.x86_64.rpm
> > (31/46): samba-winbind-4.14.5-2.el8.x86_64.rpm
> > (32/46): sssd-2.5.2-2.el8_5.1.x86_64.rpm
> > (33/46): samba-client-libs-4.14.5-2.el8.x86_64.rpm
> > (34/46): sssd-ad-2.5.2-2.el8_5.1.x86_64.rpm
> > (35/46): sssd-client-2.5.2-2.el8_5.1.x86_64.rpm
> > (36/46): sssd-common-pac-2.5.2-2.el8_5.1.x86_64.rpm
> > (37/46): sssd-dbus-2.5.2-2.el8_5.1.x86_64.rpm
> > (38/46): sssd-ipa-2.5.2-2.el8_5.1.x86_64.rpm
> > (39/46): sssd-common-2.5.2-2.el8_5.1.x86_64.rpm
> > (40/46): sssd-krb5-2.5.2-2.el8_5.1.x86_64.rpm
> > (41/46): sssd-krb5-common-2.5.2-2.el8_5.1.x86_64.rpm
> > (42/46): sssd-ldap-2.5.2-2.el8_5.1.x86_64.rpm
> > (43/46): sssd-proxy-2.5.2-2.el8_5.1.x86_64.rpm
> > (44/46): sssd-winbind-idmap-2.5.2-2.el8_5.1.x86_64.rpm
> > (45/46): sssd-tools-2.5.2-2.el8_5.1.x86_64.rpm
> > (46/46): sssd-nfs-idmap-2.5.2-2.el8_5.1.x86_64.rpm
>
> I wanted to ask if anyone found a solution to kerberos auth breaking
> with samba on centos / centos stream 8.
>
> I had to upgrade many systems to stream 8 and had to downgrade samba
> sevral times to have a working setup.
>
> Downgraded:
>    ipa-client-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64
>           ipa-client-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
>                  ipa-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
>
>    ipa-server-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64
>           ipa-server-common-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
>
> ipa-server-trust-ad-4.9.6-6.module_el8.5.0+948+b8187ba6.x86_64
>
>    libipa_hbac-2.5.2-2.el8_5.1.x86_64
>           libsmbclient-4.14.5-2.el8.x86_64
>                  libsss_autofs-2.5.2-2.el8_5.1.x86_64
>
>    libsss_certmap-2.5.2-2.el8_5.1.x86_64
>           libsss_idmap-2.5.2-2.el8_5.1.x86_64
>                  libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64
>
>    libsss_simpleifp-2.5.2-2.el8_5.1.x86_64
>           libsss_sudo-2.5.2-2.el8_5.1.x86_64
>                  libwbclient-4.14.5-2.el8.x86_64
>
>    python3-ipaclient-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
>           python3-ipalib-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
>
> python3-ipaserver-4.9.6-6.module_el8.5.0+948+b8187ba6.noarch
>
>    python3-libipa_hbac-2.5.2-2.el8_5.1.x86_64
>           python3-libsss_nss_idmap-2.5.2-2.el8_5.1.x86_64
>                  python3-samba-4.14.5-2.el8.x86_64
>
>    python3-sss-2.5.2-2.el8_5.1.x86_64
>           python3-sssdconfig-2.5.2-2.el8_5.1.noarch
>                  realmd-0.16.3-23.el8.x86_64
>
>    samba-4.14.5-2.el8.x86_64
>           samba-client-4.14.5-2.el8.x86_64
>                  samba-client-libs-4.14.5-2.el8.x86_64
>
>    samba-common-4.14.5-2.el8.noarch
>           samba-common-libs-4.14.5-2.el8.x86_64
>                  samba-common-tools-4.14.5-2.el8.x86_64
>
>    samba-libs-4.14.5-2.el8.x86_64
>           samba-winbind-4.14.5-2.el8.x86_64
>                  samba-winbind-modules-4.14.5-2.el8.x86_64
>
>    sssd-2.5.2-2.el8_5.1.x86_64
>           sssd-ad-2.5.2-2.el8_5.1.x86_64
>                  sssd-client-2.5.2-2.el8_5.1.x86_64
>
>    sssd-common-2.5.2-2.el8_5.1.x86_64
>           sssd-common-pac-2.5.2-2.el8_5.1.x86_64
>                  sssd-dbus-2.5.2-2.el8_5.1.x86_64
>
>    sssd-ipa-2.5.2-2.el8_5.1.x86_64
>           sssd-krb5-2.5.2-2.el8_5.1.x86_64
>                  sssd-krb5-common-2.5.2-2.el8_5.1.x86_64
>
>    sssd-ldap-2.5.2-2.el8_5.1.x86_64
>           sssd-nfs-idmap-2.5.2-2.el8_5.1.x86_64
>                  sssd-proxy-2.5.2-2.el8_5.1.x86_64
>
>    sssd-tools-2.5.2-2.el8_5.1.x86_64
>           sssd-winbind-idmap-2.5.2-2.el8_5.1.x86_64
>
>
> Complete!
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Mon, 2022-02-14 at 18:42 +0200, Ahti Seier via samba
wrote:
> Hello,
> 
>   Well, that error will occur if security = user and user tries to
> authenticate with a kerberos service ticket where a PAC is present.
> This
> happens for example when freeIPA is in a trust relationship with AD.
> FreeIPA by default will copy users PAC into service ticket. If this
> is the
> case for you there are a few possibilities: 1. in freeIPA find the
> cifs/yourhostname service and disable adding the PAC, 2: join samba
> to
> freeipa: in (RHEL 8 there is "ipa-client-samba" package which
makes
> this
> easier):
I have never seen the point of freeipa as an intermediary between Samba
and AD, you might just as well use Samba with AD, without freeipa at
all. Am I missing something here ? What does freeipa give you in such a
setup ?

Rowland