E R
2023-Feb-03 23:36 UTC
[Samba] FYI: One Possible Resolution to "KDC has no support for encryption type"
As part of continuous improvement I wanted to update my Samba AD member server (ads) to flip the setting for "kerberos encryption types" from the default of "all" to "strong" to move one step closer to getting rid of RC4 as I know that is coming. But when I ran a "net ads join -U administrator" I received a error "kerberos_kinit_password Administrator at DOMAIN.COM failed: KDC has no support for encryption type". Curiously the domain join actually appeared to work as I had an AD object for the Samba server in the Windows AD. If I used my own account for the domain join, I did not receive the error message. And changing the setting back to "all" did not cause the error message to appear. After quite a bit of reading and reviewing settings, what I found was that the password for this account has not been changed since the AD forest was changed from a functional level of 2003 to 2012 R2. As I understand the AES tech was added in Server 2008/Windows 7. I changed the password twice (once to a new password and again back to the same password since there are undoubtedly things using the password). Viola! No more error message when I join the domain with the domain administrator account and I feel confident that I can now set the option to use "strong" on the production server in the near future.