[Samba] MS06-035 problems?

Alan Munter alan.munter at nist.gov
Wed Jul 12 20:44:56 GMT 2006


I just patched our domain controllers with MS06-035 because it said it
was just fixing a couple of memory leak problems with SMB in srvsvc.  

Now, this afternoon, one of my colleagues tried to join a FC5 machine to
our active directory using the recipe that we have been using for years
(which worked yesterday, according to him), and it fails on "net ads
join".

No changes have been made to the domain controllers other than the Black
Tuesday patches.

Here's a log dump from "net -d4 ads join".  We get the error:

[2006/07/12 15:55:14, 3]
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(571) 
  verify_service_password: get_service_ticket failed: KDC has no support
for encryption type

The krb5.conf was copied from the machine that worked yesterday.

The computer account actually made it into the active directory despite
the errors, apparently.  

In trying to debug the problems I deleted the computer account from AD,
had him shut down smb and winbind, had him clear out /var/log/samba and
the secrets file in /etc/samba and restart our recipe to add the stuff
to the domain.  He reported after that procedure that the computer was
able to join the domain, but now authentication fails when trying to log
in.

Any ideas of what's going on?  Need more info?  Did MS sneak some more
changes into the server service that they aren't talking about in that
patch?

Thanks,

Alan



More information about the samba mailing list