Bug#566977: samba-common-bin: 'net ads join' fails against, Windows 2003 domain with 'Program lacks support for encryption type'
As I reported in launchpad for ubuntu (https://bugs.launchpad.net/ubuntu/+source/samba/+bug/512459), adding allow_weak_crypto = true to krb5.conf does not solve the problem for me: # net ads join -U Administrator Enter Administrator's password: Using short domain name -- LAB Joined 'VML-AMB' to realm 'mydomain.it' [2010/01/26 17:06:10, 0] libads/kerberos.c:332(ads_kinit_password) kerberos_kinit_password vml-a...@mydomain.it failed: Preauthentication failed The machine was apparently joined to the domain, but I cannot login with my domain credentials, getting always an authentication failure. getent passwd lists local users only. The file log.wb-LAB contains these lines: [2010/01/26 17:02:38, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket) cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type) [2010/01/26 17:02:38, 1] libsmb/cliconnect.c:745(cli_session_setup_kerberos) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Program lacks support for encryption type [2010/01/26 17:02:39, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket) cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type) [2010/01/26 17:02:39, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket) cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type) [2010/01/26 17:02:39, 0] libads/sasl.c:819(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [2010/01/26 17:02:39, 1] winbindd/winbindd_ads.c:127(ads_cached_connection) ads_connect for domain LAB failed: Program lacks support for encryption type -- Destina il tuo 5 per mille dell'IRPEF (sul mod. 730 o mod. UNICO o mod. CUD) firmando e indicando il nostro codice fiscale 03254210150 nel riquadro finanziamento agli enti della ricerca scientifica e dell'universita' per aiutare a mantenere indipendente la ricerca scientifica dell'Istituto Mario Negri, una fondazione privata senza scopo di lucro che da oltre 40 anni opera nell'interesse degli ammalati. Per maggiori informazioni: Istituto Mario Negri, Via La Masa 19 - 20156 Milano Tel: +39 02 390141 - Fax: +39 02 3546277 +39 02 39001918 Internet: www.marionegri.it, mne...@marionegri.it -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#566977: samba-common-bin: 'net ads join' fails against, Windows 2003 domain with 'Program lacks support for encryption type'
reopen 566977 thanks On Wed, Jan 27, 2010 at 09:30:15AM +0100, Renzo Bagnati wrote: As I reported in launchpad for ubuntu (https://bugs.launchpad.net/ubuntu/+source/samba/+bug/512459), adding allow_weak_crypto = true to krb5.conf does not solve the problem for me: # net ads join -U Administrator Enter Administrator's password: Using short domain name -- LAB Joined 'VML-AMB' to realm 'mydomain.it' [2010/01/26 17:06:10, 0] libads/kerberos.c:332(ads_kinit_password) kerberos_kinit_password vml-a...@mydomain.it failed: Preauthentication failed Yes, it appears I jumped the gun with the bug closure, sorry. Reopening, for further analysis. [2010/01/26 17:02:38, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket) cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type) This corresponds to: krb5_enctype enc_types[] = { #ifdef ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC, #endif ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_CRC, ENCTYPE_NULL}; [...] if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) { So one or more of these types is not enabled by the new 'allow_weak_crypto' option? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Bug#566977: samba-common-bin: 'net ads join' fails against, Windows 2003 domain with 'Program lacks support for encryption type'
tags 566977 confirmed upstream thanks On Wed, Jan 27, 2010 at 03:33:59AM -0800, Steve Langasek wrote: So one or more of these types is not enabled by the new 'allow_weak_crypto' option? Nope, they're all supported, but Samba has a function in source3/libads/kerberos.c named create_local_private_krb5_conf_for_domain... which does exactly that, and of course it doesn't know to set the new 'allow_weak_crypto' option. So this is a samba bug that needs fixed. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Bug#566977: samba-common-bin: 'net ads join' fails against Windows 2003 domain with 'Program lacks support for encryption type'
Package: samba-common-bin Version: 2:3.4.3-2 Severity: normal After dist-upgrade from lenny to squeeze, joining an Active Directory Windows 2003 domain fails. Even downgrading Samba to 3.2.5 from lenny without changing kerberos libs did not help, neither upgrading Samba to 3.4.5 from unstable and using kerberos libs from unstable. Kerberos itself with kinit works. # kinit administrator Password for administra...@e-spirit.de: # klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@e-spirit.de Valid starting ExpiresService principal 01/26/10 09:43:15 01/26/10 19:43:19 krbtgt/e-spirit...@e-spirit.de renew until 01/27/10 09:43:15, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 # net -d9 ads join -U administrator [...] 2010/01/26 09:33:22, 0] libads/sasl.c:819(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [2010/01/26 09:33:22, 1] libnet/libnet_join.c:1903(libnet_Join) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'E-SPIRIT' dns_domain_name : 'e-spirit.de' forest_name : 'e-spirit.de' dn : NULL domain_sid : * domain_sid : S-1-5-21-567673327-774986681-227697207 modified_config : 0x00 (0) error_string : 'failed to connect to AD: Program lacks support for encryption type' domain_is_ad : 0x01 (1) result : WERR_GENERAL_FAILURE Failed to join domain: failed to connect to AD: Program lacks support for encryption type [2010/01/26 09:33:22, 2] utils/net.c:779(main) return code = -1 /etc/krb5.conf: [libdefaults] default_realm = E-SPIRIT.DE clockskew = 600 forwardable = true proxiable = true [domain_realm] .e-spirit.de = E-SPIRIT.DE e-spirit.de = E-SPIRIT.DE /etc/samba/smb.conf [global] server string = Linux-Server security = ads workgroup = E-SPIRIT realm = E-SPIRIT.DE kerberos method = system keytab #use kerberos keytab = true #template primary group = users template homedir = /home/%U template shell = /bin/bash idmap uid = 1100-9000 idmap gid = 1100-9000 winbind uid = 1100-9000 winbind gid = 1100-9000 winbind separator = + winbind cache time = 10 winbind use default domain = yes winbind nested groups = yes winbind enum users = no winbind enum groups = no username map = /etc/samba/smbusers guest account = nobody invalid users = root encrypt passwords = true load printers = no map to guest = Bad User log file = /var/log/samba/smb_%M.log max log size = 1 syslog = 0 local master = no os level = 33 domain master = no preferred master = no domain logons = no wins support = no wins proxy = no dns proxy = yes name resolve order = host bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 veto files = /Thumbs.db/.thumbnails/.DS_Store/.xvpics/ delete veto files = yes -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages samba-common-bin depends on: ii libc6 2.10.2-2 GNU C Library: Shared libraries ii libcap21:2.17-2 support for getting/setting POSIX. ii libcomerr2 1.41.9-1 common error description library ii libgssapi-krb5-2 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - k ii libk5crypto3 1.8+dfsg~alpha1-4 MIT Kerberos runtime libraries - C ii libkrb5-3 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries ii libldap-2.4-2 2.4.17-2.1OpenLDAP libraries ii libncurses55.7+20090803-2shared libraries for terminal hand ii libpopt0 1.15-1lib for parsing cmdline parameters ii libreadline6 6.1-1 GNU readline and history libraries ii libtalloc2 2.0.1-1 hierarchical pool based memory all ii libuuid1 2.16.2-0 Universally Unique ID library ii libwbclient0 2:3.4.5~dfsg-1Samba winbind client library ii samba-common 2:3.4.3-2 common files used by both the Samb ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime samba-common-bin recommends no packages. samba-common-bin suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble?
Bug#566977: samba-common-bin: 'net ads join' fails against Windows 2003 domain with 'Program lacks support for encryption type'
Thanks Steve! Runs successfully now with this /etc/krb5.conf: [libdefaults] default_realm = E-SPIRIT.DE clockskew = 600 forwardable = true proxiable = true allow_weak_crypto = true [domain_realm] .e-spirit.de = E-SPIRIT.DE e-spirit.de = E-SPIRIT.DE -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org