[Samba] ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]

Rob Townley rob.townley at gmail.com
Fri Feb 12 23:34:42 MST 2010 

On Fri, Feb 12, 2010 at 8:25 PM, Wilkinson, Alex <
alex.wilkinson at dsto.defence.gov.au> wrote:

> Anyone ?
>
>   -Alex
>
>    0n Thu, Feb 11, 2010 at 08:00:57PM +0800, Wilkinson, Alex wrote:
>
>    >Hi all,
>    >
>    >According to this bug report:
>    >http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977
>    >
>    >This particular error is actually a bug in the samba code.
>    >
>    >Does anyone know if there are patches that fix this ?
>    >
>    >Adding "allow_weak_crypto = true" to /etc/krb5.conf does not solve this
> for me :(
>    >
>    >Has anyone got a working solution for this ?
>    >
>    >   -Alex
>
> IMPORTANT: This email remains the property of the Australian Defence
> Organisation and is subject to the jurisdiction of section 70 of the CRIMES
> ACT 1914.  If you have received this email in error, you are requested to
> contact the sender and delete the email.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


DES was broken in 1998 by the eff.  Shouldn't be used but it often is in the
list of allowed encryption types.  Won't go into the conspiracy theory now.


The short answer would probably be to delete any reference to DES and
probably DES3 encryption types in all krb5.conf* files on your machine.  i
use RedHat derivatives, but i bet this is the same problem.  Do a find for
all krb5.conf* as it may not be in the same location on debian.

cat /var/cache/samba/smb_krb5/krb5.conf.*
and i bet you will find DES encryption accepted.

You think it would be from /etc/krb5.conf, but no it isn't as evidenced by:
*  Arnaud Lesauvage* arnaud.listes at
codata.eu<samba%40lists.samba.org?Subject=%5BSamba%5D%20krb5.conf%20in%20/var/lib/samba/smb_krb5%20very%20different%20from%0A%09original&In-Reply-To=>.
among others.
  http://lists.samba.org/archive/samba/2009-March/146858.html

Change the file /var/lib/samba/smb_krb5/krb5.conf.YOURNETBIOSNAME
  Add either rc4-hmac or arcfour-hmac
  Replace any reference to DES-CBC-CRC encryption with
aes128-cts-hmac-sha1-96.
  Or at the very least, put the AES types further up the list.

     default_tgs_enctypes = RC4-HMAC aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha1-96
     default_tkt_enctypes = RC4-HMAC aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha1-96
     preferred_enctypes = RC4-HMAC aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha1-96

After restarting, check that
/var/cache/samba/smb_krb5/krb5.conf.YOURNETBIOSNAME does not have any DES
remnants.

Very good annotated reference on encryption and hashing:

http://www.gnu.org/software/shishi/manual/html_node/Cryptographic-Overview.html

Decent references on what is encryption type 17 in the domain controller
event log:
  https://blogs.msdn.com/alextch/archive/2006/07/18/etypes.aspx
  http://www.ietf.org/rfc/rfc3961.txt

More information about the samba mailing list