samba - Feb 2022 - SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)

On Mon, 2022-02-14 at 18:42 +0200, Ahti Seier via samba
wrote:
> Hello,
> 
>   Well, that error will occur if security = user and user tries to
> authenticate with a kerberos service ticket where a PAC is present.
> This
> happens for example when freeIPA is in a trust relationship with AD.
> FreeIPA by default will copy users PAC into service ticket. If this
> is the
> case for you there are a few possibilities: 1. in freeIPA find the
> cifs/yourhostname service and disable adding the PAC, 2: join samba
> to
> freeipa: in (RHEL 8 there is "ipa-client-samba" package which
makes
> this
> easier):
I have never seen the point of freeipa as an intermediary between Samba
and AD, you might just as well use Samba with AD, without freeipa at
all. Am I missing something here ? What does freeipa give you in such a
setup ?

Rowland

This will probably stir up the hornets nest but it is much easier to manage
linux hosts using freeIPA than AD and samba.

FreeIPA by default allows remote management of linux hosts service access
rules, sudo rules, certificates, ssh keys etc. through a nice web UI, using
an API or a command line interface. This all without changing any schema on
AD and messing with GPOs. freeIPA is basically AD for linux (ldap +
kerberos + CA + DNS) with linux specific ldap schemas. In this case freeIPA
is not an intermediary between Samba and AD. freeIPA is a trusted member of
the AD forest. It can control access for AD users on linux hosts joined to
it (and manage their sudo rules and ssh keys etc.). Samba in this case is
just a file sharing service...

Setting samba into standalone mode (security = user) and just using a
keytab (from freeIPA kerberos) used to work, until November updates. This
was nice and simple... and no winbind was needed. NSS through sss on the
linux hosts was perfectly capable of looking up both freeIPA and AD users
and groups. With November updates this was changed.

All AD users have a special data blob attached to their kerberos ticket,
called a PAC (Privileged Access Certificate). It contains the SID-s of the
user and the users groups. When samba is a domain member then this
information is used to look up the user and groups from the AD domain
controller (winbind does this). freeIPA by default will add this PAC to the
service ticket the user requests. So authentication (since November) will
fail by default.

As I said this can be worked around. By either "joining" samba to
freeIPA
domain (and running winbind) or disabling the default behaviour of copying
the PAC to the service ticket.

Since November updates, if security is set to "user" (standalone mode)
and
service principal has a PAC attached authentication will fail.

Kontakt Rowland Penny via samba (<samba at lists.samba.org>) kirjutas
kuup?eval E, 14. veebruar 2022 kell 18:52:
> On Mon, 2022-02-14 at 18:42 +0200, Ahti Seier via samba wrote:
> > Hello,
> >
> >   Well, that error will occur if security = user and user tries to
> > authenticate with a kerberos service ticket where a PAC is present.
> > This
> > happens for example when freeIPA is in a trust relationship with AD.
> > FreeIPA by default will copy users PAC into service ticket. If this
> > is the
> > case for you there are a few possibilities: 1. in freeIPA find the
> > cifs/yourhostname service and disable adding the PAC, 2: join samba
> > to
> > freeipa: in (RHEL 8 there is "ipa-client-samba" package
which makes
> > this
> > easier):
>
> I have never seen the point of freeipa as an intermediary between Samba
> and AD, you might just as well use Samba with AD, without freeipa at
> all. Am I missing something here ? What does freeipa give you in such a
> setup ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>