On 01/26/2010 12:44 AM, Christian PERRIER wrote:
Quoting Jeremy Allison ([email protected]):
On Mon, Jan 25, 2010 at 11:14:31AM -0600, Dale Schroeder wrote:
This time, it seems to be an ADS specific winbind error.
I have attempted with the current kernel - 2.6.32-trunk-686 and the
previous kernel - 2.6.30-2-686.
What kind of encryption change has occurred, and which program is it
referring to as lacking the encryption type - samba or krb5?
This is a krb5 error. Try upgrading the krb5 libraries ?
Dale, can you send the output of "dpkg -s libkrb5-3"
Sam Hartman is working hardly on krb5 these days. I can't check right
now but it's highly probable that Debian testing hasn't the same
version than unstable (1.7 in testing, 1.8 in unstable).
So, Jeremy's advice is probably worth it if you have 1.7 version of
krb5 and if that solves your problems, then we might need to update
dependencies in samba packages.
Actually, I think it was the upgrade to 1.8 that caused the problem.
Steve Langasek informed me that DES is disabled by default in 1.8 and
gave me a link to
documentation that indicated I need this in krb5.conf under [libdefaults]:
allow_weak_crypto=true
__________________________________________________________________
dpks -s libkrb5-3
Package: libkrb5-3
Status: install ok installed
Priority: standard
Section: libs
Installed-Size: 888
Maintainer: Sam Hartman<[email protected]>
Architecture: i386
Source: krb5
Version: 1.8+dfsg~alpha1-4
Replaces: libkrb53 (<< 1.6.dfsg.4~beta1-7)
Depends: libc6 (>= 2.9), libcomerr2 (>= 1.34), libk5crypto3 (>=
1.8+dfsg~alpha1), libkeyutils1, libkrb5support0 (= 1.8+dfsg~alpha1-4)
Suggests: krb5-doc, krb5-user
Conflicts: libapache-mod-auth-kerb (<= 4.996-5.0-rc6-2), libapache2-mod-auth-kerb (<=
4.996-5.0-rc6-2), ssh-krb5 (<< 3.8.1p1-10)
Description: MIT Kerberos runtime libraries
Kerberos is a system for authenticating users and services on a network.
Kerberos is a trusted third-party service. That means that there is a
third party (the Kerberos server) that is trusted by all the entities on
the network (users and services, usually called "principals").
.
This is the MIT reference implementation of Kerberos V5.
.
This package contains the runtime library for the main Kerberos v5 API
used by applications and Kerberos clients.
Homepage:http://web.mit.edu/kerberos/
_____________________________________________________________________
Enabling DES has only been mostly successful. One system running stable
(3.2.5) could now rejoin the domain, shares are accessible, but getent
and wbinfo give no output.
The other system running testing (3.4.3) still gives the encryption
error on a testjoin, shows correct info with getent and wbinfo (now
minus the panics), and allows access to shares
based on user permissions, but fails with group permissions. An attempt
to rejoin the domain still fails. However, winbind has never worked for
me in testing, so this doesn't really
mean much.
I see that libkrb5-3 is being updated again today to 1.8+dfsg~alpha1-5
and will try it as soon as apt-get update quits throwing "Hash sum
mismatch" errors.
Additionally, I will attempt Samba unstable (3.4.5).
There are still errors, but things are improving. Advice is very welcome.
Thanks,
Dale
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
