samba - Feb 2022 - SPNEGO login failed: The type of a token object is inappropriate for its attempted use. (centos 8 upgrade regression)

This will probably stir up the hornets nest but it is much easier to manage
linux hosts using freeIPA than AD and samba.

FreeIPA by default allows remote management of linux hosts service access
rules, sudo rules, certificates, ssh keys etc. through a nice web UI, using
an API or a command line interface. This all without changing any schema on
AD and messing with GPOs. freeIPA is basically AD for linux (ldap +
kerberos + CA + DNS) with linux specific ldap schemas. In this case freeIPA
is not an intermediary between Samba and AD. freeIPA is a trusted member of
the AD forest. It can control access for AD users on linux hosts joined to
it (and manage their sudo rules and ssh keys etc.). Samba in this case is
just a file sharing service...

Setting samba into standalone mode (security = user) and just using a
keytab (from freeIPA kerberos) used to work, until November updates. This
was nice and simple... and no winbind was needed. NSS through sss on the
linux hosts was perfectly capable of looking up both freeIPA and AD users
and groups. With November updates this was changed.

All AD users have a special data blob attached to their kerberos ticket,
called a PAC (Privileged Access Certificate). It contains the SID-s of the
user and the users groups. When samba is a domain member then this
information is used to look up the user and groups from the AD domain
controller (winbind does this). freeIPA by default will add this PAC to the
service ticket the user requests. So authentication (since November) will
fail by default.

As I said this can be worked around. By either "joining" samba to
freeIPA
domain (and running winbind) or disabling the default behaviour of copying
the PAC to the service ticket.

Since November updates, if security is set to "user" (standalone mode)
and
service principal has a PAC attached authentication will fail.

Kontakt Rowland Penny via samba (<samba at lists.samba.org>) kirjutas
kuup?eval E, 14. veebruar 2022 kell 18:52:
> On Mon, 2022-02-14 at 18:42 +0200, Ahti Seier via samba wrote:
> > Hello,
> >
> >   Well, that error will occur if security = user and user tries to
> > authenticate with a kerberos service ticket where a PAC is present.
> > This
> > happens for example when freeIPA is in a trust relationship with AD.
> > FreeIPA by default will copy users PAC into service ticket. If this
> > is the
> > case for you there are a few possibilities: 1. in freeIPA find the
> > cifs/yourhostname service and disable adding the PAC, 2: join samba
> > to
> > freeipa: in (RHEL 8 there is "ipa-client-samba" package
which makes
> > this
> > easier):
>
> I have never seen the point of freeipa as an intermediary between Samba
> and AD, you might just as well use Samba with AD, without freeipa at
> all. Am I missing something here ? What does freeipa give you in such a
> setup ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Mon, 2022-02-14 at 19:38 +0200, Ahti Seier wrote:
> This will probably stir up the hornets nest but it is much easier to
> manage linux hosts using freeIPA than AD and samba.
> 
> FreeIPA by default allows remote management of linux hosts service
> access rules,
That can probably be done with Samba
>  sudo rules,
That definitely can be done with Samba, I use it :-)
>  certificates,
Not sure about certificates, but David Mulder is probably working on it
>  ssh keys etc.
Why use ssh keys ? what is wrong with kerberos ?
>  through a nice web UI, using an API or a command line interface.
> This all without changing any schema on AD
You have to extend the schema for sudo (if you store the sudo rules in
AD) , whether you use sssd or Samba. 
>  and messing with GPOs.
What is wrong with GPO's ?
>  freeIPA is basically AD for linux
No it isn't, it is a glorified ldap and is nothing like AD.
>  (ldap + kerberos + CA + DNS) with linux specific ldap schemas. In
> this case freeIPA is not an intermediary between Samba and AD.
> freeIPA is a trusted member of the AD forest.
If you have AD <-> freeipa <-> Samba, then freeipa is an
intermediate
between AD and Samba.
>  It can control access for AD users on linux hosts joined to it (and
> manage their sudo rules and ssh keys etc.).
Which Samba can already do or will shortly be able to do.
>  Samba in this case is just a file sharing service...
Which freeipa cannot do.
> 
> Setting samba into standalone mode (security = user) and just using a
> keytab (from freeIPA kerberos) used to work, until November updates.
> This was nice and simple... and no winbind was needed. NSS through
> sss on the linux hosts was perfectly capable of looking up both
> freeIPA and AD users and groups. With November updates this was
> changed.
Yes but there is no point to a standalone server in AD, it sort of
defeats the object.
> 
> All AD users have a special data blob attached to their kerberos
> ticket, called a PAC (Privileged Access Certificate). It contains the
> SID-s of the user and the users groups. When samba is a domain member
> then this information is used to look up the user and groups from the
> AD domain controller (winbind does this). freeIPA by default will add
> this PAC to the service ticket the user requests. So authentication
> (since November) will fail by default. 
> 
> As I said this can be worked around. By either "joining" samba to
> freeIPA domain (and running winbind) or disabling the default
> behaviour of copying the PAC to the service ticket.
> 
> Since November updates, if security is set to "user" (standalone
> mode) and service principal has a PAC attached authentication will
> fail. 
I could go on, but I wont, it will get us nowhere.
 
Rowland

On 2/14/22 18:38, Ahti Seier via samba wrote:
> This will probably stir up the hornets nest but it is much easier to manage
> linux hosts using freeIPA than AD and samba.
> 
> FreeIPA by default allows remote management of linux hosts service access
> rules, sudo rules, certificates, ssh keys etc. through a nice web UI, using
> an API or a command line interface. This all without changing any schema on
> AD and messing with GPOs. freeIPA is basically AD for linux (ldap +
> kerberos + CA + DNS) with linux specific ldap schemas. In this case freeIPA
> is not an intermediary between Samba and AD. freeIPA is a trusted member of
> the AD forest. It can control access for AD users on linux hosts joined to
> it (and manage their sudo rules and ssh keys etc.). Samba in this case is
> just a file sharing service...
> 
> Setting samba into standalone mode (security = user) and just using a
> keytab (from freeIPA kerberos) used to work, until November updates. This
> was nice and simple... and no winbind was needed. NSS through sss on the
> linux hosts was perfectly capable of looking up both freeIPA and AD users
> and groups. With November updates this was changed.
> 
> All AD users have a special data blob attached to their kerberos ticket,
> called a PAC (Privileged Access Certificate). It contains the SID-s of the
> user and the users groups. When samba is a domain member then this
> information is used to look up the user and groups from the AD domain
> controller (winbind does this). freeIPA by default will add this PAC to the
> service ticket the user requests. So authentication (since November) will
> fail by default.
> 
> As I said this can be worked around. By either "joining" samba to
freeIPA
> domain (and running winbind) or disabling the default behaviour of copying
> the PAC to the service ticket.
> 
> Since November updates, if security is set to "user" (standalone
mode) and
> service principal has a PAC attached authentication will fail.
> 
> Kontakt Rowland Penny via samba (<samba at lists.samba.org>) kirjutas
> kuup?eval E, 14. veebruar 2022 kell 18:52:
> 
>> On Mon, 2022-02-14 at 18:42 +0200, Ahti Seier via samba wrote:
>>> Hello,
>>>
>>>    Well, that error will occur if security = user and user tries to
>>> authenticate with a kerberos service ticket where a PAC is present.
>>> This
>>> happens for example when freeIPA is in a trust relationship with
AD.
>>> FreeIPA by default will copy users PAC into service ticket. If this
>>> is the
>>> case for you there are a few possibilities: 1. in freeIPA find the
>>> cifs/yourhostname service and disable adding the PAC, 2: join samba
>>> to
>>> freeipa: in (RHEL 8 there is "ipa-client-samba" package
which makes
>>> this
>>> easier):
>>
>> I have never seen the point of freeipa as an intermediary between Samba
>> and AD, you might just as well use Samba with AD, without freeipa at
>> all. Am I missing something here ? What does freeipa give you in such a
>> setup ?
Thank you Ahti and Rowland for your in depth explanation and confirming 
that something changed in November that breaks my setup!

I use FreeIPA as primary authenticator for many Linux systems and samba 
as filesystem only with kerberos keys for the users to connect to samba 
shares. This used to work fine. There is no Windows or Samba AD server 
present.

I am still not sure what steps are needed to get my setup working with 
newer versions of samba, but my samba has a trust setup with FreeIPA, 
but seems this is not enough any more.

ipa-server-trust-ad (package)
ipa-getkeytab -s freeipa01.example.lan -p cifs/samba01.example.lan -k 
/etc/samba/samba.keytab

I can take a look at: 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm
and see if I can find a solution. I will probably have to create a test 
setup and start over.

Jelle