Hello,
We experience some problems with Kerberos / Samba authentication after updating our two FreeIPA servers. The issue appeared after updating the following packages:
ipa-server-trust-ad-4.9.13-10.module_el8.10.0+3857+9c8da539.x86_64
ipa-server-dns-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-server-4.9.13-10.module_el8.10.0+3857+9c8da539.x86_64
python3-ipaserver-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-client-4.9.13-10.modue_el8.10.0+3857+9c8da539.x86_64
python3-ipaclient-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
python3-ipalib-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-selinux-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-server-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
ipa-client-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
We've running an Samba server which uses FreeIPA for authentication, set up with "ipa-client-samba". After the updates, the authentication failed.
Samba Log Error:
../../auth/gensec/spnego.c:1245(gensec_spnego_server_negTokenInit_step)
gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
krb5kdc.log Error:
krb5kdc[1903](Information): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) SERVER NOT ALLOWED: authtime 0, etypes {rep=UNSUPPORTED:(0)} user@ad for cifs/host@IPA Der Server-Principal ist nur für »user2user« gültig
Has anyone experienced a similar issue or an idea why the issue appeared?
Thanks,
Florian