KDC has no support for encryption type?

Steve Langasek vorlon at netexpress.net
Tue Jul 15 16:15:59 GMT 2003

On Tue, Jul 15, 2003 at 12:05:11PM -0400, Ken Cross wrote:
> > -----Original Message-----
> > From: Steve Langasek [mailto:vorlon at netexpress.net] 
> > Sent: Tuesday, July 15, 2003 11:57 AM
> > To: Ken Cross
> > Cc: 'Multiple recipients of list SAMBA-TECHNICAL'
> > Subject: Re: KDC has no support for encryption type?

> > This would be the only enctype that MIT 1.2 shares in common 
> > with Win2K, yes -- and only on principals whose passwords 
> > have been changed at least once in ADS.

> If you mean the machine account password, the "net ads join" is creating the
> machine account, so the password has never been changed.  Is that what you
> meant?

I believe that when creating the machine account, 'net ads join' uses
the appropriate incantation to make a DES key available for the

But you're not getting that far; the error indicates that kinit is not
able to grab credentials for the administrator, which are needed before
the machine account can be created, due to an enctype mismatch.  Do you
have Samba machines that have been joined to the particular domains
you're currently trying to join to?  If so, have any changes been made
to the domain's configuration since then?  If you run the command
'kinit administrator at WIN1DOM.LOCAL' by hand from this machine, does it
also give you an error message?

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030715/4fc87b5f/attachment.bin

More information about the samba-technical mailing list