[Samba] KRB5 Problems

Brian McGrew brian at visionpro.com
Thu Dec 23 05:51:01 MST 2010


Good morning all!

I know this is not a Samba problem...  It's a Windows 2008R2 AD problem!  It
would seem that in the last 72 hours, there has been some kind of
AD/KRB/Encryption update that changes things a bit.

I'm using Win2008R2, CentOS 5.5-x86_64 and Samba-3.5.6.  I join about ten
machines a week to the domain using a cookie cutter configuration setup, and
all of the sudden this morning I can't do a kinit --- I was getting:

kinit(v5): KDC has no support for encryption type while getting initial
credentials

(When last night I could join just fine).

Long story short, I had to change

    default_tkt_enctypes = des-cbc-crc
    default_tgs_enctypes = des-cbc-crc

To

    default_tkt_enctypes = des3-cbc-sha1 rc4-hmac des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = des3-cbc-sha1 rc4-hmac des-cbc-md5 des-cbc-crc

In my standard /etc/krb5.conf and now life is good...

So, hopefully this will help someone else who might be seeing this problem,
but begs a question as well...

Was my configuration broken to start with (having only a single choice for
encryption), or did something else outside of the realm of the Samba/Unix
World change (that we _know_ of)?

-b



More information about the samba mailing list