[Samba] winbind failure with libkrb5-3 1.8 in Debian *RENAMED*
Dale Schroeder
dale at BriannasSaladDressing.com
Wed Jan 27 10:45:44 MST 2010
I have renamed this thread as the panics stopped when libkrb5-3, et.al.
were upgraded to 1.8.
However, bigger problems are now occurring. See below.
On 01/27/2010 10:13 AM, Volker Lendecke wrote:
> On Wed, Jan 27, 2010 at 04:05:46AM -0800, Steve Langasek wrote:
>
>> On Tue, Jan 26, 2010 at 02:22:36PM -0800, Steve Langasek wrote:
>>
>>> On Tue, Jan 26, 2010 at 05:03:51PM -0500, Sam Hartman wrote:
>>>
>>>>>>>>> "Steve" == Steve Langasek<vorlon at debian.org> writes:
>>>>>>>>>
>>
>>>> Steve> On Tue, Jan 26, 2010 at 01:29:08PM -0500, Sam Hartman wrote:
>>>> >> OK. Can someone on the Samba side confirm that the Linux kernel
>>>> >> only supports DES for some Samba related Kerberos operation?
>>>> >> Specific details on what is going on would be useful.
>>>>
>>
>>>> Steve> The kernel is only involved when one is using CIFS mounts,
>>>> Steve> which aren't relevant to winbind and domain joining; so this
>>>> Steve> shouldn't be a kernel issue.
>>>>
>>
>>>> OK. Then I currently have no idea why allow_weak_crypto would be
>>>> desirable for Samba.
>>>>
>>
>>> In the case of AD realms that were continuously upgraded from NT4 domains,
>>> you may have accounts only using RC4 as an enctype for
>>> backwards-compatibility with pre-AD systems. I don't know if this is the
>>> reason these users are seeing problems, but it's the only case I can think
>>> of why allow_weak_crypto should be needed.
>>>
>> Sorry, having looked at the source now, I see that the weak crypto handling
>> is specific to DES, not RC4; and if Samba were *only* using RC4, this error
>> would not happen.
>>
>> However, Samba requests both RC4 and DES, a historical remnant of the time
>> when DES was the only enctype in common between all Kerberos
>> implementations.
>>
> Referring to the SUBJECT: Where is this leading to a panic
> in Samba 3.4, I got lost in the meantime.
>
> Volker
>
Now, winbind simply doesn't work in 3.4.3 nor in 3.4.5, the latter which
I tested this morning.
The 3.4.5 testing was done with libkrb5-3 1.8+dsfg~alpha1-5, upgraded
from alpha1-4.
This also includes setting
allow_weak_crypto=true
in krb5.conf; however, the encryption error message returns when testing
the join or doing kinit.
[date time, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks
support for encryption type.
[repeat above two lines]
Join to domain is not valid: Undetermined error
I guess I should retest stable to see what that yields.
Dale
More information about the samba
mailing list