I just patched our domain controllers with MS06-035 because it said it was just fixing a couple of memory leak problems with SMB in srvsvc. Now, this afternoon, one of my colleagues tried to join a FC5 machine to our active directory using the recipe that we have been using for years (which worked yesterday, according to him), and it fails on "net ads join". No changes have been made to the domain controllers other than the Black Tuesday patches. Here's a log dump from "net -d4 ads join". We get the error: [2006/07/12 15:55:14, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(571) verify_service_password: get_service_ticket failed: KDC has no support for encryption type The krb5.conf was copied from the machine that worked yesterday. The computer account actually made it into the active directory despite the errors, apparently. In trying to debug the problems I deleted the computer account from AD, had him shut down smb and winbind, had him clear out /var/log/samba and the secrets file in /etc/samba and restart our recipe to add the stuff to the domain. He reported after that procedure that the computer was able to join the domain, but now authentication fails when trying to log in. Any ideas of what's going on? Need more info? Did MS sneak some more changes into the server service that they aren't talking about in that patch? Thanks, Alan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alan Munter wrote:> I just patched our domain controllers with MS06-035 > because it said it was just fixing a couple of memory > leak problems with SMB in srvsvc. > > Now, this afternoon, one of my colleagues tried to > join a FC5 machine to our active directory using > the recipe that we have been using for years > (which worked yesterday, according to him), and > it fails on "net ads join". > > No changes have been made to the domain controllers > other than the Black Tuesday patches. > > Here's a log dump from "net -d4 ads join". We get the error:What version of Samba is this 3.0.22 ?> [2006/07/12 15:55:14, 3] > libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(571) > verify_service_password: get_service_ticket failed: KDC has no support > for encryption typeIgnore that. It's not the issue.> Any ideas of what's going on? Need more info? Did MS > sneak some more changes into the server service that > they aren't talking about in that patch?Need more details. What do level 10 debug logs from smbd tell you about the failed authentication? cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEtohnIR7qMdg1EfYRAlO/AJ9ayrX6gv5i/gZTj3e3kwaEuGt/YgCg5VHH z8tgyDXn3E9gARdvBrBCiFE=GL0Z -----END PGP SIGNATURE-----