Hello,
We experience some problems with Kerberos / Samba authentication after updating
our two FreeIPA servers. The issue appeared after updating the following
packages:
ipa-server-trust-ad-4.9.13-10.module_el8.10.0+3857+9c8da539.x86_64
ipa-server-dns-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-server-4.9.13-10.module_el8.10.0+3857+9c8da539.x86_64
python3-ipaserver-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-client-4.9.13-10.modue_el8.10.0+3857+9c8da539.x86_64
python3-ipaclient-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
python3-ipalib-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-selinux-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-server-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-client-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
We've running an Samba server which uses FreeIPA for authentication, set up
with "ipa-client-samba". After the updates, the authentication failed.
Samba Log Error:
../../auth/gensec/spnego.c:1245(gensec_spnego_server_negTokenInit_step)
gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT
content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
krb5kdc.log Error:
krb5kdc[1903](Information): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23),
DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) SERVER NOT ALLOWED:
authtime 0, etypes {rep=UNSUPPORTED:(0)} user@ad for cifs/host@IPA Der
Server-Principal ist nur für »user2user« gültig
Has anyone experienced a similar issue or an idea why the issue appeared?
Thanks,
Florian
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue