KDC has no support for encryption type?

[Steve Langasek]

On Tue, Jul 15, 2003 at 10:23:39AM -0400, Ken Cross wrote:
> I'm getting these messages from "net ads join -U x%x":

>  [2003/07/15 09:40:33, 3] libads/ldap.c:ads_server_info(1864)
>    got ldap server name win1 at WIN1DOM.LOCAL, using bind path:
> dc=WIN1DOM,dc=LOCAL
>  [2003/07/15 09:40:33, 4] libads/ldap.c:ads_server_info(1870)
>    time offset is 0 seconds
>  [2003/07/15 09:40:33, 4] libads/sasl.c:ads_sasl_bind(415)
>    Found SASL mechanism GSS-SPNEGO
>  [2003/07/15 09:40:33, 3] libads/sasl.c:ads_sasl_spnego_bind(183)
>    got OID=1 2 840 48018 1 2 2
>  [2003/07/15 09:40:33, 3] libads/sasl.c:ads_sasl_spnego_bind(183)
>    got OID=1 3 6 1 4 1 311 2 2 10
>  [2003/07/15 09:40:33, 3] libads/sasl.c:ads_sasl_spnego_bind(190)
>    got principal=win1$@WIN1DOM.LOCAL
>  [2003/07/15 09:40:33, 1] libsmb/clikrb5.c:ads_krb5_mk_req(267)
>    krb5_cc_get_principal failed (No credentials cache found)
>  [2003/07/15 09:40:33, 0] libads/kerberos.c:ads_kinit_password(133)
>    kerberos_kinit_password administrator at WIN1DOM.LOCAL failed: KDC has no
> support for encryption type

> I'm using MIT Kerberos 1.2.6 on NetBSD.  The server is Win2K SP4.

> It worked fine in Samba 3.0 Alphas.  Winbindd is having no problems.

Either Kerberos on this machine is configured only to allow 3des
encryption types, which Win2K does not support; or this principal on the
Windows realm only has an RC4 key associated with it, and you need to
either change the admin password to generate a DES key or upgrade to MIT
1.3 on the Unix side.

Or something's really broken, and Samba is requesting a nonexistent
enctype. :)

-- 
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030715/28264583/attachment.bin