[Samba] ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]

Robert LeBlanc robert at leblancnet.us
Tue Feb 16 15:25:05 MST 2010

On Tue, Feb 16, 2010 at 2:48 PM, Rob Townley <rob.townley at gmail.com> wrote:

> On Tue, Feb 16, 2010 at 12:30 PM, Robert LeBlanc <robert at leblancnet.us>wrote:
>> I tired this on Debian Squeeze (edited
>> /var/run/samba/smb_krb5/krb5.conf.NETBIOSNAME) and when I restart winbind,
>> the file is clobbered back to the original. I think this is in conjunction
>> with a bug from Kerberos where if DES is specified as a supported type, even
>> if something else better is specified, Kerberos refuses to play.
>> Here is what 3.4.5 is showing:
>>         default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
>>         default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
>>         preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
>> It would be nice to have some sort of fix/workaround for this, it seems to
>> have blindsided us.
>> Robert LeBlanc
>> Life Sciences & Undergraduate Education Computer Support
>> Brigham Young University
> i assume you meant to post to the list, not just me.  But since some IT
> people would be uncomfortable letting the general public know they use DES,
> i didn't forward your name to the list.
> i had the same problem and thought i had it licked by disabling the winbind
> service, but i have so many machines i am not sure which machine i may have
> got the config to stick.  If your domain functional level is WIn2000, not
> Win2003, then i am not sure it will take anything better than DES.  i would
> hope so, but i don't know for certain.  Using the windows kerberos tools
> like kerbtray.exe would tell you what your ADS accepts.  Watch that MSDN
> video.
> i have a suspicion that ADS will list DES as acceptable but tells Windows
> Workstations to never request DES through Group Policy Objects.  So the
> problem never surfaces on windows.  In the ADS Active Directory Users and
> Computers, clicking on the details of a user and maybe a machine, at the
> very bottom of a long scroll down list, there is a place to allow DES.
> Unless that is checked,. i don't see any reason for ADS to ever offer DES,
> but i suspect it does.
> My ADS is messed up now and needs to be redone.  Until then and when i can
> do some extensive testing, i am not going to blame MS.
Reply to list/user gets me again! Anyway, we are at 2008 functional level,
so I don't think our domain is even accepting DES. It looks like Debian has
a fix in libkrb5 that has another two days in sid, then will be migrated to
Squeeze. I think that will fix the problem (crossing fingers) as RC4-HMAC is
listed as an acceptable encryption type and the bug in kerberos was dropping
the entire ecnryption request if DES was one of the encryption types. I
think the fix now only drops the DES encryption types out of the available
list. So in my krb5.conf.NETBIOSNAME example above, if the DCs don't like
RC4-HMAC, then I'm out of luck as it won't try DES even though it is listed.

Thanks for the reply.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University

More information about the samba mailing list