[Samba] ads_sasl_spnego_krb5_bind failed: Program lacks supportfor encryption type [SEC=UNCLASSIFIED]

Robert LeBlanc robert at leblancnet.us
Wed Feb 24 10:26:14 MST 2010

On Tue, Feb 23, 2010 at 8:32 PM, Rob Townley <rob.townley at gmail.com> wrote:

> On Sat, Feb 13, 2010 at 8:57 PM, Jeremy Allison <jra at samba.org> wrote:
> > On Sat, Feb 13, 2010 at 01:35:12PM -0600, dale at briannassaladdressing.comwrote:
> >> Alex,
> >>
> >> I've been a victim of this since Day 1.  After a lot of reading and
> emailing, it comes down to this.  libkrb5-3 version 1.8x by default
> disallows DES encryption.  /etc/krb5.conf can be changed to allow weak
> encryption, but as it relates to Samba, is only effective in letting the
> system join the domain.  For it's internal functioning, winbind uses an
> autogenerated krb5.conf that resides in /var/run/samba.  This krb5.conf has
> no knowledge of allow_weak_crypto=true.  Sam Hartman, the maintainer of
> libkrb5-3 in Debian, has taken over the responsibility of fixing that
> package, rather than the Samba maintainers doing a change there.  In the
> interim, winbind is broken with libkrb5-3 version 1.8x.  We can only hope
> this fix is soon coming.
> >
> > In Samba 3.5.0 there is a parameter "create krb5 conf" that controls
> > if this private krb5.conf file is created or not. Would it be helpful
> > for this to be back ported to earlier versions ?
> >
> > Jeremy.
>     i do not want any weak encryption on my systems.
>    If     "create krb5 conf = no"    in smb.conf means, that i can
> specify RC4 and AES in /etc/krb5.conf and then winbind will honor and
> not create a ghost krb5.conf.NEBIOSDOMAINNAME, i would greatly
> appreciate it being backported.
> Of course, i run CentOS 5 and that uses 3.0.33.  How far back is realistic?
> With the latest update on Debian, you don't have to enable weak encryption
types. Kerberos now silently ignores the DES options and only uses the RC4
to communicate with the domain controllers. I do not have
'enable_weak_crypto' in my krb5.conf files and it works fine now.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University

More information about the samba mailing list