search for: allow_weak_crypto

Displaying 20 results from an estimated 26 matches for "allow_weak_crypto".

2010 Feb 13
3
ads_sasl_spnego_krb5_bind failed: Program lacks supportfor encryption type [SEC=UNCLASSIFIED]
...S encryption. /etc/krb5.conf can be changed to allow weak encryption, but as it relates to Samba, is only effective in letting the system join the domain. For it's internal functioning, winbind uses an autogenerated krb5.conf that resides in /var/run/samba. This krb5.conf has no knowledge of allow_weak_crypto=true. Sam Hartman, the maintainer of libkrb5-3 in Debian, has taken over the responsibility of fixing that package, rather than the Samba maintainers doing a change there. In the interim, winbind is broken with libkrb5-3 version 1.8x. We can only hope this fix is soon coming. Dale -----Origin...
2014 Apr 25
2
problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade
...:backend = ad idmap config MYDOMAIN:schema_mode = rfc2307 idmap config MYDOMAIN:range = 500-40000 winbind nss info = rfc2307 [test] path = /srv/samba/test read only = no | krb5.conf: |[libdefaults] default_realm = MYDOMAIN.COM ticket_lifetime = 24000 allow_weak_crypto = yes [realms] MYDOMAIN.COM = { kdc = my.domain.com admin_server = my.domain.com default_domain = MYDOMAIN.COM } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM [login] krb4_convert = true...
2010 Feb 11
2
ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]
Hi all, According to this bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977 This particular error is actually a bug in the samba code. Does anyone know if there are patches that fix this ? Adding "allow_weak_crypto = true" to /etc/krb5.conf does not solve this for me :( Has anyone got a working solution for this ? -Alex IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this...
2017 Nov 09
3
Slow Kerberos Authentication
Hai, You may need to add the the following in krb5.conf [libdefaults] allow_weak_crypto = true ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-...
2012 Oct 17
1
Win2k auth on named share fails on mixed Windows network.
...my guess is that it is not being permitted for some reason. I postulate that it's considered a weak type, so I propose to permit weak encryption types. Questions: 1. If for example I were to make a change in /etc/krb5.conf to permit less secure encryption types by setting [libdefaults] allow_weak_crypto = 1 do I have to restart Samba for the change to take effect? The reason for the question is that restarting Samba in this situation causes a good deal of grief for the users, so I'd rather not have to do it. 2. Is there a way to ask Samba what encryption types will be allowed and what types...
2019 Oct 08
4
Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
...for several days, to make it work I used ktutils and adding the spn again to have 109. my /etc/krb5.conf: [Libdefaults] default_realm = DOM.CORP default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1 allow_weak_crypto = true dns_lookup_kdc = true dns_lookup_realm = false forwardable = true proxiable = true kdc_timesync = 1 debug = false any help ? :)
2010 Feb 14
0
ads_sasl_spnego_krb5_bind failed: Program lackssupportfor encryption type [SEC=UNCLASSIFIED]
...S encryption. /etc/krb5.conf can be changed to allow weak encryption, but as it relates to Samba, is only effective in letting the system join the domain. For it's internal functioning, winbind uses an autogenerated krb5.conf that resides in /var/run/samba. This krb5.conf has no knowledge of allow_weak_crypto=true. Sam Hartman, the maintainer of libkrb5-3 in Debian, has taken over the responsibility of fixing that package, rather than the Samba maintainers doing a change there. In the interim, winbind is broken with libkrb5-3 version 1.8x. We can only hope this fix is soon coming. > > In Samba...
2017 Nov 10
2
Slow Kerberos Authentication
...ros Authentication Thanks, however that didn't work even after a reboot, still the same error. On 9 Nov 2017 16:05, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: Hai, You may need to add the the following in krb5.conf [libdefaults] allow_weak_crypto = true ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES default_tgs_enctypes = aes128-cts-hmac-sha...
2016 Jun 27
3
Looking for GSSAPI config [was: Looking for NTLM config example]
...ar/log/kadmind.log [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = GCECAD-SERVICE.LOCAL default_keytab_file = /etc/krb5.keytab default_ccache_name = KEYRING:persistent:%{uid} allow_weak_crypto = true default_tkt_enctypes = arcfour-hmac-md5 default_tgs_enctypes = arcfour-hmac-md5 permitted_enctypes = arcfour-hmac-md5 [appdefaults] pam = { debug = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true krb4_convert = false } [realms] GCECAD-SERVICE.L...
2017 Nov 10
0
Slow Kerberos Authentication
...: Re: [Samba] Slow Kerberos Authentication Thanks, however that didn't work even after a reboot, still the same error. On 9 Nov 2017 16:05, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: Hai, You may need to add the the following in krb5.conf [libdefaults]  allow_weak_crypto = true ; for Windows 2003 ;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES     default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-...
2013 Jun 05
3
Samba4 and NVSv4
...;no change" means that it still does not work and gives the same exact errors: - verified that /etc/idmapd.conf on all systems has the same domains and realms. This works anyway with sec=sys. - reduced the keytab to the DES enctypes for nfs/... on all systems; no change. - used "allow_weak_crypto=true" in /etc/krb5.conf; no change. - set default_tgs_enctypes and default_tkt_enctypes to "des-cbc-md5 des-cbc-md4 des-cbc-crc" in /etc/krb5.conf; no change. - tried adding the service principals on the DC with "samba-tool spn add" instead of "net ads keytab a...
2013 Jun 05
3
Samba4 and NVSv4
...;no change" means that it still does not work and gives the same exact errors: - verified that /etc/idmapd.conf on all systems has the same domains and realms. This works anyway with sec=sys. - reduced the keytab to the DES enctypes for nfs/... on all systems; no change. - used "allow_weak_crypto=true" in /etc/krb5.conf; no change. - set default_tgs_enctypes and default_tkt_enctypes to "des-cbc-md5 des-cbc-md4 des-cbc-crc" in /etc/krb5.conf; no change. - tried adding the service principals on the DC with "samba-tool spn add" instead of "net ads keytab a...
2017 Jan 12
2
Difficulties with Windows XP: failed to find cifs/fileserver.y.z@Y.Z in keytab (arcfour-hmac-md5)
...MGEN.0ZONE is the domain_member_file_server It comes not that far, that the user name would be logged with an error... No error on the AD-DC concerning the name of the client machine or test user. Supposing some weak encryption of the old WindowsXP I tried on the domain_member_file_server to put allow_weak_crypto = true ...in it's krb5.conf, but with no success. ON THE AD-DC # net ads enctypes list hg004$ no msDS-SupportedEncryptionTypes attribute found Did someone got around such a behavior? Thanks rawi -- View this message in context: http://samba.2283325.n4.nabble.com/Difficulties-with-Window...
2018 Feb 05
1
Using Samba AD for NFSV4 Kerberos servers and clients
...rb5.conf #################### [logging]  default = SYSLOG:INFO:DAEMON  kdc = SYSLOG:INFO:DAEMON  admin_server = SYSLOG:INFO:DAEMON [libdefaults]  default_realm = EXAMPLE.COM  dns_lookup_realm = false  dns_lookup_kdc = false  ticket_lifetime = 10h  renew_lifetime = 7d  forwardable = true  allow_weak_crypto = true [realms]  EXAMPLE.COM = {    default_domain = example.com    master_kdc= domserver1.example.com    kdc=domserver1.example.com    kdc=domserver2.example.com    admin_server=domserver1.example.com  } [domain_realm]  example.com = EXAMPLE.COM  subnet1.example.com = EXAMPLE.COM  .sub...
2016 Jul 13
1
CentOS 6.8 + Samba4 + Kerberos: No credentials cache found
...r = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true # Note: Heimdal 1.3.1 deprecated DES encryption which is required for A`D authentication before Windows Server 2008. allow_weak_crypto = true [realms] MYDOMAIN.COM = { kdc = MYDOMAIN1.MYDOMAIN.com:88 kdc = MYDOMAIN2.MYDOMAIN.com:88 admin_server = MYDOMAIN1.MYDOMAIN.com:749 } [domain_realm] MYDOMAIN.com = MYDOMAIN.COM .MYDOMAIN.com = MYDOMAIN.COM nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap...
2024 Jul 09
1
session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
...# includedir /etc/krb5.conf.d/ [logging] ?default = SYSLOG:INFO:DAEMON ?kdc = SYSLOG:INFO:DAEMON ?admin_server = SYSLOG:INFO:DAEMON [libdefaults] default_realm =EXAMPLE.ORG ?dns_lookup_realm = false ?dns_lookup_kdc = false ?ticket_lifetime = 10h ?renew_lifetime = 7d ?forwardable = true ?allow_weak_crypto = true ?default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ?default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 udp_preference_limit = 0 [realms] ?EXAMPLE.OEG = { ?? default_domain = EXAMPLE.ORG ?? master_kdc= DC1.EXAMPLE.ORG ?? kdc=...
2017 Nov 11
0
Slow Kerberos Authentication
...r. > > On 9 Nov 2017 16:05, "L.P.H. van Belle via samba" < > samba at lists.samba.org> wrote: > Hai, > > You may need to add the the following in krb5.conf > > [libdefaults] > allow_weak_crypto = true > > ; for Windows 2003 > ; default_tgs_enctypes = rc4-hmac des-cbc-crc > des-cbc-md5 > ; default_tkt_enctypes = rc4-hmac des-cbc-crc > des-cbc-md5 > ; permitted_enctypes = rc4-hmac des-cbc-crc des-c...
2024 Jul 09
2
session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN
On Tue, 9 Jul 2024 11:31:04 -0400 Luc Lalonde via samba <samba at lists.samba.org> wrote: > Hello, > > This problem has come back for me and I can't seem to get around it. > > When I try to access a share, I get this error: > > session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN > > Here's what I have in the logs (samba-4.20.1-1.el9.x86_64): >
2019 Nov 07
2
net ads join explication ?
...195.220.xx.10 ----------- ?????? Checking file: /etc/krb5.conf [libdefaults] ??? default_realm = SAMBADOM.CALAIS.FR ??? kdc_timesync =1 ??? ccache_type = 4 ??? forwardable = true ??? proxiable = true ??? dns_lookup_realm = false ??? dns_lookup_kdc = true #fcc-mit-ticketflags = true #allow_weak_crypto = true #default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 #default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-ct...
2019 Nov 07
0
net ads join explication ?
...t; [libdefaults] > ??? default_realm = SAMBADOM.CALAIS.FR > ??? kdc_timesync =1 > ??? ccache_type = 4 > ??? forwardable = true > ??? proxiable = true > ??? dns_lookup_realm = false > ??? dns_lookup_kdc = true > > > > #fcc-mit-ticketflags = true > > #allow_weak_crypto = true > #default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > #default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > > default_tgs_enctypes = aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 > rc4-hmac des-cbc-crc des-cbc-md5 > default_tkt_enctypes...