[Samba] ads_connect: Program lacks support for encryption type

Barry Smoke bsmoke at lapo.state.ar.us
Fri Jan 13 17:12:37 GMT 2006

I had this same problem, 
banged my head against desk for 3 hours...

samba 3.0.21a + rhel4, and I had the same krb5.conf setup.

what was strange was that we could get to it by ip address(so Kerberos + winbind was working, and wbinfo -u, and wbinfo -g worked), yet when we tried by name, it wouldn't work, kept prompting for password(and saying the encryption type error in the logs)...

I thought that our windows 2003 server upgrade got the better of us, even though I had 4 other servers configured the same way that were still working...(thinking it was something new when running net ads join command that wasn't working)...

well, it must have been wins, or something, because about 3 hours later, it started working properly.  I have no explanation why(and would love one BTW.)

Barry Smoke
Network Administrator
AR Division of Legislative Audit

-----Original Message-----
From: samba-bounces+bsmoke=lapo.state.ar.us at lists.samba.org [mailto:samba-bounces+bsmoke=lapo.state.ar.us at lists.samba.org] On Behalf Of Mason, Roberto
Sent: Friday, January 13, 2006 10:48 AM
To: samba at lists.samba.org
Subject: [Samba] ads_connect: Program lacks support for encryption type

I'm trying to setup here at my school board an ADS domain member to Windows 2000 Server(s). I've setup Samba, configured nsswitch and /etc/krb5.conf. I'll be including them on this post. When I run << net join ADS -U<administrative_user>, I'm prompted for the password and I get this error message:


[2006/01/12 15:21:35, 0] utils/net_ads.c:ads_startup(191)

  ads_connect: Program lacks support for encryption type


I scoured Google, but I've not been able to find the solution. 


Is there a service I'm not running?


# Samba config file created using SWAT

# from (

# Date: 2006/01/11 16:27:02



# Samba config file created using SWAT
# from (
# Date: 2006/01/11 16:27:02
   workgroup = MYDOMAIN
   realm = MYDOMAIN.QC.CA
        bind interfaces only = Yes
   security = ADS
        username map = /etc/samba/smbusers
        log level = 1
        printcap name = cups
        wins server = xxx.xxx.xxx.xxx 
        ldap ssl = no
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template shell = /bin/bash
   winbind use default domain = no
        valid users = %S
        read only = No
        browseable = No
#masonr is a local user
        path = /drive
        valid users = masonr
        write list = masonr
        force user = nobody
        force group = nobody
        read only = No




passwd:     files winbind

shadow:     files

group:      files winbind


#hosts:     db files ldap nis dns

hosts:      files winbind dns


# Example - obey only what ldap tells us...

#services:  ldap [NOTFOUND=return] files

#networks:  ldap [NOTFOUND=return] files

#protocols: ldap [NOTFOUND=return] files

#rpc:       ldap [NOTFOUND=return] files

#ethers:    ldap [NOTFOUND=return] files


bootparams: files

ethers:     files

netmasks:   files

networks:   files dns

protocols:  files

rpc:        files

services:   files

netgroup:   files

publickey:  files

automount:  files

aliases:    files



default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default_realm = MYDOMAIN.QC.CA
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
   default_domain = mydomain.qc.ca
   kdc = server1.mydomain.qc.ca:88
   kdc = server2.mydomain.qc.ca:88
   admin_server = server1.mydomain.qc.ca:749
.mydomain.qc.ca = MYDOMAIN.QC.CA
mydomain.qc.ca = MYDOMAIN.QC.CA





Roberto Mason

IT Department

Sir Wilfrid Laurier School Board

235 Montée Lesage
Rosemère, Québec,
J7A 4Y6


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list