Hello Florian, Yes, this is a known issue. We made a mistake while backporting the upstream FreeIPA fix for CVE-2024-3183[1] to CentOS 8 Stream. It was fixed in a later merge request[2].
Upgrading to ipa-4.9.13-11 should fix this issue. If it is not available in your distribution, please ask the IPA package maintainer to release this last version. -- Julien [1] https://pagure.io/freeipa/c/dfd4492efd47d45bcac4ee1d32d21cae91142df8?branch=master [2] https://gitlab.com/redhat/centos-stream/rpms/ipa/-/merge_requests/83 On Mon, Jul 1, 2024 at 2:45 PM Florian Spicher via FreeIPA-users <[email protected]> wrote: > > Hello, > We experience some problems with Kerberos / Samba authentication after > updating our two FreeIPA servers. The issue appeared after updating the > following packages: > > ipa-server-trust-ad-4.9.13-10.module_el8.10.0+3857+9c8da539.x86_64 > ipa-server-dns-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch > ipa-server-4.9.13-10.module_el8.10.0+3857+9c8da539.x86_64 > python3-ipaserver-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch > ipa-client-4.9.13-10.modue_el8.10.0+3857+9c8da539.x86_64 > python3-ipaclient-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch > python3-ipalib-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch > ipa-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch > ipa-selinux-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch > ipa-server-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch > ipa-client-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch > > We've running an Samba server which uses FreeIPA for authentication, set up > with "ipa-client-samba". After the updates, the authentication failed. > > Samba Log Error: > ../../auth/gensec/spnego.c:1245(gensec_spnego_server_negTokenInit_step) > gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT > content failed (next[(null)]): NT_STATUS_LOGON_FAILURE > > krb5kdc.log Error: > krb5kdc[1903](Information): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), > aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), > DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) SERVER NOT ALLOWED: > authtime 0, etypes {rep=UNSUPPORTED:(0)} user@ad for cifs/host@IPA Der > Server-Principal ist nur für »user2user« gültig > > Has anyone experienced a similar issue or an idea why the issue appeared? > > Thanks, > Florian > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
