[Samba] ads_sasl_spnego_krb5_bind failed: Program lackssupportfor encryption type [SEC=UNCLASSIFIED]

dale at briannassaladdressing.com dale at briannassaladdressing.com
Sat Feb 13 23:31:21 MST 2010

-----Original message-----
From: Jeremy Allison jra at samba.org
Date: Sat, 13 Feb 2010 22:09:31 -0600
To: dale at briannassaladdressing.com
Subject: Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lackssupportfor encryption type [SEC=UNCLASSIFIED]

> On Sat, Feb 13, 2010 at 01:35:12PM -0600, dale at briannassaladdressing.com wrote:
> > Alex,
> > 
> > I've been a victim of this since Day 1.  After a lot of reading and emailing, it comes down to this.  libkrb5-3 version 1.8x by default disallows DES encryption.  /etc/krb5.conf can be changed to allow weak encryption, but as it relates to Samba, is only effective in letting the system join the domain.  For it's internal functioning, winbind uses an autogenerated krb5.conf that resides in /var/run/samba.  This krb5.conf has no knowledge of allow_weak_crypto=true.  Sam Hartman, the maintainer of libkrb5-3 in Debian, has taken over the responsibility of fixing that package, rather than the Samba maintainers doing a change there.  In the interim, winbind is broken with libkrb5-3 version 1.8x.  We can only hope this fix is soon coming.
> In Samba 3.5.0 there is a parameter "create krb5 conf" that controls
> if this private krb5.conf file is created or not. Would it be helpful
> for this to be back ported to earlier versions ?
> Jeremy.

Thank you for asking, Jeremy.  That sounds like a great idea.  I'm assuming that samba/winbind would look at /etc/krb5.conf if the private one is not created.  On the other hand, if libkrb5-3 is soon to be fixed, then all that work might not be necessary.  Perhaps someone at Debian could inform us of the current status.  I know that at one time, Christian Perrier was following this.


More information about the samba mailing list