[Samba] ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]
rob.townley at gmail.com
Fri Feb 12 23:34:42 MST 2010
On Fri, Feb 12, 2010 at 8:25 PM, Wilkinson, Alex <
alex.wilkinson at dsto.defence.gov.au> wrote:
> Anyone ?
> 0n Thu, Feb 11, 2010 at 08:00:57PM +0800, Wilkinson, Alex wrote:
> >Hi all,
> >According to this bug report:
> >This particular error is actually a bug in the samba code.
> >Does anyone know if there are patches that fix this ?
> >Adding "allow_weak_crypto = true" to /etc/krb5.conf does not solve this
> for me :(
> >Has anyone got a working solution for this ?
> > -Alex
> IMPORTANT: This email remains the property of the Australian Defence
> Organisation and is subject to the jurisdiction of section 70 of the CRIMES
> ACT 1914. If you have received this email in error, you are requested to
> contact the sender and delete the email.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
DES was broken in 1998 by the eff. Shouldn't be used but it often is in the
list of allowed encryption types. Won't go into the conspiracy theory now.
The short answer would probably be to delete any reference to DES and
probably DES3 encryption types in all krb5.conf* files on your machine. i
use RedHat derivatives, but i bet this is the same problem. Do a find for
all krb5.conf* as it may not be in the same location on debian.
and i bet you will find DES encryption accepted.
You think it would be from /etc/krb5.conf, but no it isn't as evidenced by:
* Arnaud Lesauvage* arnaud.listes at
Change the file /var/lib/samba/smb_krb5/krb5.conf.YOURNETBIOSNAME
Add either rc4-hmac or arcfour-hmac
Replace any reference to DES-CBC-CRC encryption with
Or at the very least, put the AES types further up the list.
default_tgs_enctypes = RC4-HMAC aes128-cts-hmac-sha1-96
default_tkt_enctypes = RC4-HMAC aes128-cts-hmac-sha1-96
preferred_enctypes = RC4-HMAC aes128-cts-hmac-sha1-96
After restarting, check that
/var/cache/samba/smb_krb5/krb5.conf.YOURNETBIOSNAME does not have any DES
Very good annotated reference on encryption and hashing:
Decent references on what is encryption type 17 in the domain controller
More information about the samba