-----Original message----- From: Jeremy Allison [email protected] Date: Sat, 13 Feb 2010 22:09:31 -0600 To: [email protected] Subject: Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lackssupportfor encryption type [SEC=UNCLASSIFIED]
> On Sat, Feb 13, 2010 at 01:35:12PM -0600, [email protected] > wrote: > > Alex, > > > > I've been a victim of this since Day 1. After a lot of reading and > > emailing, it comes down to this. libkrb5-3 version 1.8x by default > > disallows DES encryption. /etc/krb5.conf can be changed to allow weak > > encryption, but as it relates to Samba, is only effective in letting the > > system join the domain. For it's internal functioning, winbind uses an > > autogenerated krb5.conf that resides in /var/run/samba. This krb5.conf has > > no knowledge of allow_weak_crypto=true. Sam Hartman, the maintainer of > > libkrb5-3 in Debian, has taken over the responsibility of fixing that > > package, rather than the Samba maintainers doing a change there. In the > > interim, winbind is broken with libkrb5-3 version 1.8x. We can only hope > > this fix is soon coming. > > In Samba 3.5.0 there is a parameter "create krb5 conf" that controls > if this private krb5.conf file is created or not. Would it be helpful > for this to be back ported to earlier versions ? > > Jeremy. Thank you for asking, Jeremy. That sounds like a great idea. I'm assuming that samba/winbind would look at /etc/krb5.conf if the private one is not created. On the other hand, if libkrb5-3 is soon to be fixed, then all that work might not be necessary. Perhaps someone at Debian could inform us of the current status. I know that at one time, Christian Perrier was following this. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
