Ubuntu
krb5 package

Winbind failed to connect to AD: Program lacks support for encryption type

Bug #512459 reported by renbag
38
This bug affects 6 people
Affects Status Importance Assigned to Milestone
krb5 (Debian)
Fix Released
Unknown
krb5 (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Binary package hint: samba

I'm using lucid alfa-2 and when I try to join the machine to an AD domain with winbind I get the following error:

# net ads join -U Administrator
Enter Administrator's password:
[2010/01/25 16:25:48, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type
Failed to join domain: failed to connect to AD: Program lacks support for encryption type

This always worked with karmic and jaunty, using exactly the same samba and kerberos configurations.

Package versions are:

krb5-config 2.2
krb5-user 1.8+dfsg~alpha1-4
libgssapi-krb5-2 1.8+dfsg~alpha1-4
libkrb5-3 1.8+dfsg~alpha1-4
libkrb5support0 1.8+dfsg~alpha1-4
libpam-krb5 4.2-1
libsmbclient 2:3.4.3-2ubuntu2
libwbclient0 2:3.4.3-2ubuntu2
samba 2:3.4.3-2ubuntu2
samba-common 2:3.4.3-2ubuntu2
samba-common-bin 2:3.4.3-2ubuntu2
smbclient 2:3.4.3-2ubuntu2
smbfs 2:3.4.3-2ubuntu2
winbind 2:3.4.3-2ubuntu2

Revision history for this message
renbag (renbag) wrote :
Revision history for this message
renbag (renbag) wrote :
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

I'm getting the same after the weekend. Probably due to the updated krb5 packages? (now 1.8-alpha1, before 1.7)

Changed in samba (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Chuck Short (zulcss) wrote :

Not a bug in samba; this is a deliberate behavior change in the new upstream
release of MIT Kerberos. See /usr/share/doc/libkrb5-3/NEWS.Debian.gz for
information on re-enabling use of Kerberos with realms that don't support
higher-grade encryption.

Changed in samba (Ubuntu):
status: Confirmed → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in samba (Debian):
status: Unknown → Fix Released
Revision history for this message
renbag (renbag) wrote :

I added:
allow_weak_crypto = true
to the [libdefaults] section in krb5.conf, as described in /usr/share/doc/libkrb5-3/NEWS.Debian.gz:

# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- LAB
Joined 'VML-AMB' to realm 'mydomain.it'
[2010/01/26 17:06:10, 0] libads/kerberos.c:332(ads_kinit_password)
  kerberos_kinit_password VML-AMB$@MYDOMAIN.IT failed: Preauthentication failed

The machine was apparently joined to the domain, but I cannot login with my domain credentials, getting always an authentication failure.
"getent passwd" lists local users only.

The file log.wb-LAB contains these lines:

[2010/01/26 17:02:38, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket)
  cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type)
[2010/01/26 17:02:38, 1] libsmb/cliconnect.c:745(cli_session_setup_kerberos)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Program lacks support for encryption type
[2010/01/26 17:02:39, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket)
  cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type)
[2010/01/26 17:02:39, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket)
  cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type)
[2010/01/26 17:02:39, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type
[2010/01/26 17:02:39, 1] winbindd/winbindd_ads.c:127(ads_cached_connection)
  ads_connect for domain LAB failed: Program lacks support for encryption type

Bug Watch Updater (bug-watch-updater)
Changed in samba (Debian):
status: Fix Released → Confirmed
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

moving to krb5 like on debian.

affects: samba (Ubuntu) → krb5 (Ubuntu)
affects: samba (Debian) → krb5 (Debian)
Taylor Yu (tlyu)
Changed in krb5 (Debian):
importance: Unknown → Undecided
status: Confirmed → New
status: New → Fix Committed
Revision history for this message
stiV (stefan-wehinger) wrote :

according to https://wiki.ubuntu.com/LTSDebianImportFreeze "packages will only be imported from Debian testing in this way on a case by case basis or by explicit request from a developer."

will this be done?

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

I've tested the new version and it works, it should be synced from unstable.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

filed bug #523107 to sync the package.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

and it's synced now.

Changed in krb5 (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
renbag (renbag) wrote :

I confirm that the new krb5 packages are working in my network, and without the need to use the allow_weak_crypto = true option.

Timo Aaltonen (tjaalton)
Changed in krb5 (Debian):
importance: Undecided → Unknown
status: Fix Committed → Unknown
Bug Watch Updater (bug-watch-updater)
Changed in krb5 (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.