Your message dated Tue, 26 Jan 2010 01:36:38 -0800
with message-id <[email protected]>
and subject line Re: Bug#566977: samba-common-bin: 'net ads join' fails against
Windows 2003 domain with 'Program lacks support for encryption type'
has caused the Debian Bug report #566977,
regarding samba-common-bin: 'net ads join' fails against Windows 2003 domain
with 'Program lacks support for encryption type'
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
566977: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: samba-common-bin
Version: 2:3.4.3-2
Severity: normal
After dist-upgrade from lenny to squeeze, joining an Active Directory
Windows 2003 domain fails. Even downgrading Samba to 3.2.5 from lenny
without changing kerberos libs did not help,
neither upgrading Samba to 3.4.5 from unstable
and using kerberos libs from unstable.
Kerberos itself with kinit works.
# kinit administrator
Password for [email protected]:
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
01/26/10 09:43:15 01/26/10 19:43:19 krbtgt/[email protected]
renew until 01/27/10 09:43:15, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
# net -d9 ads join -U administrator
[...]
2010/01/26 09:33:22, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks
support for encryption type
[2010/01/26 09:33:22, 1] libnet/libnet_join.c:1903(libnet_Join)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'E-SPIRIT'
dns_domain_name : 'e-spirit.de'
forest_name : 'e-spirit.de'
dn : NULL
domain_sid : *
domain_sid :
S-1-5-21-567673327-774986681-227697207
modified_config : 0x00 (0)
error_string : 'failed to connect to AD:
Program lacks support for encryption type'
domain_is_ad : 0x01 (1)
result : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: Program lacks support
for encryption type
[2010/01/26 09:33:22, 2] utils/net.c:779(main)
return code = -1
/etc/krb5.conf:
[libdefaults]
default_realm = E-SPIRIT.DE
clockskew = 600
forwardable = true
proxiable = true
[domain_realm]
.e-spirit.de = E-SPIRIT.DE
e-spirit.de = E-SPIRIT.DE
/etc/samba/smb.conf
[global]
server string = Linux-Server
security = ads
workgroup = E-SPIRIT
realm = E-SPIRIT.DE
kerberos method = system keytab
#use kerberos keytab = true
#template primary group = users
template homedir = /home/%U
template shell = /bin/bash
idmap uid = 1100-9000
idmap gid = 1100-9000
winbind uid = 1100-9000
winbind gid = 1100-9000
winbind separator = +
winbind cache time = 10
winbind use default domain = yes
winbind nested groups = yes
winbind enum users = no
winbind enum groups = no
username map = /etc/samba/smbusers
guest account = nobody
invalid users = root
encrypt passwords = true
load printers = no
map to guest = Bad User
log file = /var/log/samba/smb_%M.log
max log size = 10000
syslog = 0
local master = no
os level = 33
domain master = no
preferred master = no
domain logons = no
wins support = no
wins proxy = no
dns proxy = yes
name resolve order = host bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
veto files = /Thumbs.db/.thumbnails/.DS_Store/.xvpics/
delete veto files = yes
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages samba-common-bin depends on:
ii libc6 2.10.2-2 GNU C Library: Shared libraries
ii libcap2 1:2.17-2 support for getting/setting POSIX.
ii libcomerr2 1.41.9-1 common error description library
ii libgssapi-krb5-2 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - k
ii libk5crypto3 1.8+dfsg~alpha1-4 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.17-2.1 OpenLDAP libraries
ii libncurses5 5.7+20090803-2 shared libraries for terminal hand
ii libpopt0 1.15-1 lib for parsing cmdline parameters
ii libreadline6 6.1-1 GNU readline and history libraries
ii libtalloc2 2.0.1-1 hierarchical pool based memory all
ii libuuid1 2.16.2-0 Universally Unique ID library
ii libwbclient0 2:3.4.5~dfsg-1 Samba winbind client library
ii samba-common 2:3.4.3-2 common files used by both the Samb
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
samba-common-bin recommends no packages.
samba-common-bin suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
On Tue, Jan 26, 2010 at 10:09:18AM +0100, Holger Isenberg wrote:
> Package: samba-common-bin
> Version: 2:3.4.3-2
> Severity: normal
> After dist-upgrade from lenny to squeeze, joining an Active Directory
> Windows 2003 domain fails. Even downgrading Samba to 3.2.5 from lenny
> without changing kerberos libs did not help,
> neither upgrading Samba to 3.4.5 from unstable
> and using kerberos libs from unstable.
Not a bug in samba; this is a deliberate behavior change in the new upstream
release of MIT Kerberos. See /usr/share/doc/libkrb5-3/NEWS.Debian.gz for
information on re-enabling use of Kerberos with realms that don't support
higher-grade encryption.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
[email protected] [email protected]
signature.asc
Description: Digital signature
--- End Message ---
