[Freeipa-users] Kerberos / Samba authentication issue after updating to 4.9.13-10

Mon, 01 Jul 2024 05:45:52 -0700 

Hello,
We experience some problems with Kerberos / Samba authentication after updating 
our two FreeIPA servers. The issue appeared after updating the following 
packages:

ipa-server-trust-ad-4.9.13-10.module_el8.10.0+3857+9c8da539.x86_64
ipa-server-dns-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-server-4.9.13-10.module_el8.10.0+3857+9c8da539.x86_64
python3-ipaserver-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-client-4.9.13-10.modue_el8.10.0+3857+9c8da539.x86_64
python3-ipaclient-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
python3-ipalib-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-selinux-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-server-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-client-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch

We've running an Samba server which uses FreeIPA for authentication, set up 
with "ipa-client-samba". After the updates, the authentication failed.

Samba Log Error:
../../auth/gensec/spnego.c:1245(gensec_spnego_server_negTokenInit_step)
  gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT 
content failed (next[(null)]): NT_STATUS_LOGON_FAILURE

krb5kdc.log Error:
krb5kdc[1903](Information): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), 
aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), 
DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) SERVER NOT ALLOWED: 
authtime 0, etypes {rep=UNSUPPORTED:(0)} user@ad for cifs/host@IPA Der 
Server-Principal ist nur für »user2user« gültig

Has anyone experienced a similar issue or an idea why the issue appeared?

Thanks,
Florian
-- 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to