[Samba] [FIXED on Debian] Re: ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]
Robert LeBlanc
robert at leblancnet.us
Fri Feb 19 08:20:15 MST 2010
On Wed, Feb 17, 2010 at 6:39 AM, Wilkinson, Alex <
alex.wilkinson at dsto.defence.gov.au> wrote:
>
> 0n Wed, Feb 17, 2010 at 07:49:25AM -0600, Dale Schroeder wrote:
>
> >
> >> Reply to list/user gets me again! Anyway, we are at 2008 functional
> level,
> >> so I don't think our domain is even accepting DES. It looks like
> Debian has
> >> a fix in libkrb5 that has another two days in sid, then will be
> migrated to
> >> Squeeze.
> >That's the best news I've had in days. I noticed that the original
> >reporter of the bug had success with
> >1.8 alpha1-6, and the version soon to be in squeeze is already beyond
> >that at alpha 1-7.
>
> Here is the patch:
>
>
> http://packages.debian.org/changelogs/pool/main/k/krb5/krb5_1.8+dfsg~alpha1-7/changelog<http://packages.debian.org/changelogs/pool/main/k/krb5/krb5_1.8+dfsg%7Ealpha1-7/changelog>
>
> krb5 (1.8+dfsg~alpha1-6) unstable; urgency=medium
>
> * Import upstream fixes including:
> - A non-conformance with RFC 4120 that causes enc_padata to be
> included when the client may not support it
> - Weak crypto acts as a filter and does not reject if DES is
> included in krb5.conf, fixes Samba net ads join, Closes: #566977
> * Medium urgency because of the samba bug fix. If the samba
> maintainers
> request the release team to bump to high I'd support that.
> * Update libkdb5 symbols for new upstream internal interface
>
>
I have just tested the new package from Debian and it indeed does solve the
problem and you don't need the weak_crypto option in krb5.conf. Thanks to
all who got us through this bump in the road.
Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University
More information about the samba
mailing list