Wilkinson, Alex
2010-Feb-11 12:00 UTC
[Samba] ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]
Hi all, According to this bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977 This particular error is actually a bug in the samba code. Does anyone know if there are patches that fix this ? Adding "allow_weak_crypto = true" to /etc/krb5.conf does not solve this for me :( Has anyone got a working solution for this ? -Alex IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email.
Wilkinson, Alex
2010-Feb-13 02:25 UTC
[Samba] ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]
Anyone ? -Alex 0n Thu, Feb 11, 2010 at 08:00:57PM +0800, Wilkinson, Alex wrote: >Hi all, > >According to this bug report: >http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977 > >This particular error is actually a bug in the samba code. > >Does anyone know if there are patches that fix this ? > >Adding "allow_weak_crypto = true" to /etc/krb5.conf does not solve this for me :( > >Has anyone got a working solution for this ? > > -Alex IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email.
Robert LeBlanc
2010-Feb-16 22:25 UTC
[Samba] ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]
On Tue, Feb 16, 2010 at 2:48 PM, Rob Townley <rob.townley at gmail.com> wrote:> On Tue, Feb 16, 2010 at 12:30 PM, Robert LeBlanc <robert at leblancnet.us>wrote: > >> >> I tired this on Debian Squeeze (edited >> /var/run/samba/smb_krb5/krb5.conf.NETBIOSNAME) and when I restart winbind, >> the file is clobbered back to the original. I think this is in conjunction >> with a bug from Kerberos where if DES is specified as a supported type, even >> if something else better is specified, Kerberos refuses to play. >> >> Here is what 3.4.5 is showing: >> default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 >> default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 >> preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 >> >> It would be nice to have some sort of fix/workaround for this, it seems to >> have blindsided us. >> >> Robert LeBlanc >> Life Sciences & Undergraduate Education Computer Support >> Brigham Young University >> >> > i assume you meant to post to the list, not just me. But since some IT > people would be uncomfortable letting the general public know they use DES, > i didn't forward your name to the list. > > i had the same problem and thought i had it licked by disabling the winbind > service, but i have so many machines i am not sure which machine i may have > got the config to stick. If your domain functional level is WIn2000, not > Win2003, then i am not sure it will take anything better than DES. i would > hope so, but i don't know for certain. Using the windows kerberos tools > like kerbtray.exe would tell you what your ADS accepts. Watch that MSDN > video. > > i have a suspicion that ADS will list DES as acceptable but tells Windows > Workstations to never request DES through Group Policy Objects. So the > problem never surfaces on windows. In the ADS Active Directory Users and > Computers, clicking on the details of a user and maybe a machine, at the > very bottom of a long scroll down list, there is a place to allow DES. > Unless that is checked,. i don't see any reason for ADS to ever offer DES, > but i suspect it does. > > My ADS is messed up now and needs to be redone. Until then and when i can > do some extensive testing, i am not going to blame MS. > > >Reply to list/user gets me again! Anyway, we are at 2008 functional level, so I don't think our domain is even accepting DES. It looks like Debian has a fix in libkrb5 that has another two days in sid, then will be migrated to Squeeze. I think that will fix the problem (crossing fingers) as RC4-HMAC is listed as an acceptable encryption type and the bug in kerberos was dropping the entire ecnryption request if DES was one of the encryption types. I think the fix now only drops the DES encryption types out of the available list. So in my krb5.conf.NETBIOSNAME example above, if the DCs don't like RC4-HMAC, then I'm out of luck as it won't try DES even though it is listed. Thanks for the reply. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University
Reasonably Related Threads
- ads_sasl_spnego_krb5_bind failed: Program lacks supportfor encryption type [SEC=UNCLASSIFIED]
- ads_sasl_spnego_krb5_bind failed: Program lackssupportfor encryption type [SEC=UNCLASSIFIED]
- More failover issues
- kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type
- Changing owner/group on samba share