[Samba] [FIXED on Debian] Re: ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]

[Robert LeBlanc]

On Wed, Feb 17, 2010 at 6:39 AM, Wilkinson, Alex <
alex.wilkinson at dsto.defence.gov.au> wrote:

>
>    0n Wed, Feb 17, 2010 at 07:49:25AM -0600, Dale Schroeder wrote:
>
>    >
>    >> Reply to list/user gets me again! Anyway, we are at 2008 functional
> level,
>    >> so I don't think our domain is even accepting DES. It looks like
> Debian has
>    >> a fix in libkrb5 that has another two days in sid, then will be
> migrated to
>    >> Squeeze.
>    >That's the best news I've had in days.  I noticed that the original
>    >reporter of the bug had success with
>    >1.8 alpha1-6, and the version soon to be in squeeze is already beyond
>    >that at alpha 1-7.
>
> Here is the patch:
>
>
> http://packages.debian.org/changelogs/pool/main/k/krb5/krb5_1.8+dfsg~alpha1-7/changelog<http://packages.debian.org/changelogs/pool/main/k/krb5/krb5_1.8+dfsg%7Ealpha1-7/changelog>
>
>  krb5  (1.8+dfsg~alpha1-6) unstable; urgency=medium
>
>   * Import upstream fixes including:
>      - A non-conformance with RFC 4120 that causes  enc_padata to be
>     included when the client may not support it
>       - Weak crypto acts as a filter and does not reject if DES is
>     included in krb5.conf, fixes Samba net ads join, Closes: #566977
>     * Medium urgency because of the samba bug fix.  If the samba
> maintainers
>     request the release team to bump to high I'd support that.
>   * Update libkdb5 symbols for new upstream internal interface
>
>
I have just tested the new package from Debian and it indeed does solve the
problem and you don't need the weak_crypto option in krb5.conf. Thanks to
all who got us through this bump in the road.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University