KDC has no support for encryption type?

Ken Cross kcross at nssolutions.com
Tue Jul 15 15:14:41 GMT 2003 

Steve:

Thanks for the response.

The mystery, though, is (1) it worked in Samba 3.0 Alpha, (2) same results
to multiple Win2K servers, and (3) winbindd works OK using the same library.

>From clikrb5.c it looks like it's using ENCTYPE_DES_CBC_MD5, but I'd have to
get a trace to verify that.

FWIW, here are the relevant settings from config.h:


grep -e KRB -e MD5 include/config.h
#define HAVE_ADDRTYPE_IN_KRB5_ADDRESS 1
/* #undef HAVE_ADDR_TYPE_IN_KRB5_ADDRESS */
/* Whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type is available */
/* #undef HAVE_ENCTYPE_ARCFOUR_HMAC_MD5 */
/* Whether KRB5 is available */
#define HAVE_KRB5 1
/* #undef HAVE_KRB5_AUTH_CON_SETKEY */
#define HAVE_KRB5_AUTH_CON_SETUSERUSERKEY 1
#define HAVE_KRB5_FREE_KTYPES 1
/* #undef HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES */
#define HAVE_KRB5_GET_PERMITTED_ENCTYPES 1
/* #undef HAVE_KRB5_GET_PW_SALT */
#define HAVE_KRB5_H 1
/* #undef HAVE_KRB5_KEYBLOCK_KEYVALUE */
#define HAVE_KRB5_LOCATE_KDC 1
#define HAVE_KRB5_PRINCIPAL2SALT 1
/* #undef HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES */
#define HAVE_KRB5_SET_DEFAULT_TGS_KTYPES 1
#define HAVE_KRB5_SET_REAL_TIME 1
#define HAVE_KRB5_STRING_TO_KEY 1
/* #undef HAVE_KRB5_STRING_TO_KEY_SALT */
#define HAVE_KRB5_TKT_ENC_PART2 1
#define HAVE_KRB5_USE_ENCTYPE 1


So, I gather nobody else is seeing this?

Thanks,
Ken
________________________________

Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com 

> -----Original Message-----
> From: Steve Langasek [mailto:vorlon at netexpress.net] 
> Sent: Tuesday, July 15, 2003 10:30 AM
> To: Ken Cross
> Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> Subject: Re: KDC has no support for encryption type?
> 
> 
> On Tue, Jul 15, 2003 at 10:23:39AM -0400, Ken Cross wrote:
> > I'm getting these messages from "net ads join -U x%x":
> 
> >  [2003/07/15 09:40:33, 3] libads/ldap.c:ads_server_info(1864)
> >    got ldap server name win1 at WIN1DOM.LOCAL, using bind path: 
> > dc=WIN1DOM,dc=LOCAL  [2003/07/15 09:40:33, 4] 
> > libads/ldap.c:ads_server_info(1870)
> >    time offset is 0 seconds
> >  [2003/07/15 09:40:33, 4] libads/sasl.c:ads_sasl_bind(415)
> >    Found SASL mechanism GSS-SPNEGO
> >  [2003/07/15 09:40:33, 3] libads/sasl.c:ads_sasl_spnego_bind(183)
> >    got OID=1 2 840 48018 1 2 2
> >  [2003/07/15 09:40:33, 3] libads/sasl.c:ads_sasl_spnego_bind(183)
> >    got OID=1 3 6 1 4 1 311 2 2 10
> >  [2003/07/15 09:40:33, 3] libads/sasl.c:ads_sasl_spnego_bind(190)
> >    got principal=win1$@WIN1DOM.LOCAL
> >  [2003/07/15 09:40:33, 1] libsmb/clikrb5.c:ads_krb5_mk_req(267)
> >    krb5_cc_get_principal failed (No credentials cache found)  
> > [2003/07/15 09:40:33, 0] libads/kerberos.c:ads_kinit_password(133)
> >    kerberos_kinit_password administrator at WIN1DOM.LOCAL 
> failed: KDC has 
> > no support for encryption type
> 
> > I'm using MIT Kerberos 1.2.6 on NetBSD.  The server is Win2K SP4.
> 
> > It worked fine in Samba 3.0 Alphas.  Winbindd is having no problems.
> 
> Either Kerberos on this machine is configured only to allow 
> 3des encryption types, which Win2K does not support; or this 
> principal on the Windows realm only has an RC4 key associated 
> with it, and you need to either change the admin password to 
> generate a DES key or upgrade to MIT 1.3 on the Unix side.
> 
> Or something's really broken, and Samba is requesting a 
> nonexistent enctype. :)
> 
> -- 
> Steve Langasek
> postmodern programmer
>

More information about the samba-technical mailing list