Hello, We experience some problems with Kerberos / Samba authentication after updating our two FreeIPA servers. The issue appeared after updating the following packages:
ipa-server-trust-ad-4.9.13-10.module_el8.10.0+3857+9c8da539.x86_64 ipa-server-dns-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch ipa-server-4.9.13-10.module_el8.10.0+3857+9c8da539.x86_64 python3-ipaserver-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch ipa-client-4.9.13-10.modue_el8.10.0+3857+9c8da539.x86_64 python3-ipaclient-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch python3-ipalib-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch ipa-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch ipa-selinux-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch ipa-server-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch ipa-client-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
We've running an Samba server which uses FreeIPA for authentication, set up with "ipa-client-samba". After the updates, the authentication failed.
Samba Log Error: ../../auth/gensec/spnego.c:1245(gensec_spnego_server_negTokenInit_step) gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
krb5kdc.log Error: krb5kdc[1903](Information): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) SERVER NOT ALLOWED: authtime 0, etypes {rep=UNSUPPORTED:(0)} user@ad for cifs/host@IPA Der Server-Principal ist nur für »user2user« gültig
Has anyone experienced a similar issue or an idea why the issue appeared?
Thanks, Florian
Hello Florian,
Yes, this is a known issue. We made a mistake while backporting the upstream FreeIPA fix for CVE-2024-3183[1] to CentOS 8 Stream. It was fixed in a later merge request[2].
Upgrading to ipa-4.9.13-11 should fix this issue. If it is not available in your distribution, please ask the IPA package maintainer to release this last version.
-- Julien
[1] https://pagure.io/freeipa/c/dfd4492efd47d45bcac4ee1d32d21cae91142df8?branch=... [2] https://gitlab.com/redhat/centos-stream/rpms/ipa/-/merge_requests/83
On Mon, Jul 1, 2024 at 2:45 PM Florian Spicher via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello, We experience some problems with Kerberos / Samba authentication after updating our two FreeIPA servers. The issue appeared after updating the following packages:
ipa-server-trust-ad-4.9.13-10.module_el8.10.0+3857+9c8da539.x86_64 ipa-server-dns-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch ipa-server-4.9.13-10.module_el8.10.0+3857+9c8da539.x86_64 python3-ipaserver-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch ipa-client-4.9.13-10.modue_el8.10.0+3857+9c8da539.x86_64 python3-ipaclient-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch python3-ipalib-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch ipa-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch ipa-selinux-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch ipa-server-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch ipa-client-common-4.9.13-10.module_el8.10.0+3857+9c8da539.noarch
We've running an Samba server which uses FreeIPA for authentication, set up with "ipa-client-samba". After the updates, the authentication failed.
Samba Log Error: ../../auth/gensec/spnego.c:1245(gensec_spnego_server_negTokenInit_step) gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
krb5kdc.log Error: krb5kdc[1903](Information): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) SERVER NOT ALLOWED: authtime 0, etypes {rep=UNSUPPORTED:(0)} user@ad for cifs/host@IPA Der Server-Principal ist nur für »user2user« gültig
Has anyone experienced a similar issue or an idea why the issue appeared?
Thanks, Florian -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org