[Samba] [FIXED on Debian] Re: ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]
robert at leblancnet.us
Fri Feb 19 08:20:15 MST 2010
On Wed, Feb 17, 2010 at 6:39 AM, Wilkinson, Alex <
alex.wilkinson at dsto.defence.gov.au> wrote:
> 0n Wed, Feb 17, 2010 at 07:49:25AM -0600, Dale Schroeder wrote:
> >> Reply to list/user gets me again! Anyway, we are at 2008 functional
> >> so I don't think our domain is even accepting DES. It looks like
> Debian has
> >> a fix in libkrb5 that has another two days in sid, then will be
> migrated to
> >> Squeeze.
> >That's the best news I've had in days. I noticed that the original
> >reporter of the bug had success with
> >1.8 alpha1-6, and the version soon to be in squeeze is already beyond
> >that at alpha 1-7.
> Here is the patch:
> krb5 (1.8+dfsg~alpha1-6) unstable; urgency=medium
> * Import upstream fixes including:
> - A non-conformance with RFC 4120 that causes enc_padata to be
> included when the client may not support it
> - Weak crypto acts as a filter and does not reject if DES is
> included in krb5.conf, fixes Samba net ads join, Closes: #566977
> * Medium urgency because of the samba bug fix. If the samba
> request the release team to bump to high I'd support that.
> * Update libkdb5 symbols for new upstream internal interface
I have just tested the new package from Debian and it indeed does solve the
problem and you don't need the weak_crypto option in krb5.conf. Thanks to
all who got us through this bump in the road.
Life Sciences & Undergraduate Education Computer Support
Brigham Young University
More information about the samba