[Samba] Samba 3.4 Panic in Debian

Dale Schroeder dale at BriannasSaladDressing.com
Tue Jan 26 07:56:00 MST 2010

On 01/26/2010 12:44 AM, Christian PERRIER wrote:
> Quoting Jeremy Allison (jra at samba.org):
>> On Mon, Jan 25, 2010 at 11:14:31AM -0600, Dale Schroeder wrote:
>>> This time, it seems to be an ADS specific winbind error.
>>> I have attempted with the current kernel - 2.6.32-trunk-686 and the
>>> previous kernel - 2.6.30-2-686.
>>> What kind of encryption change has occurred, and which program is it
>>> referring to as lacking the encryption type - samba or krb5?
>> This is a krb5 error. Try upgrading the krb5 libraries ?
> Dale, can you send the output of "dpkg -s libkrb5-3"
> Sam Hartman is working hardly on krb5 these days. I can't check right
> now but it's highly probable that Debian testing hasn't the same
> version than unstable (1.7 in testing, 1.8 in unstable).
> So, Jeremy's advice is probably worth it if you have 1.7 version of
> krb5 and if that solves your problems, then we might need to update
> dependencies in samba packages.
Actually, I think it was the upgrade to 1.8 that caused the problem.
Steve Langasek informed me that DES is disabled by default in 1.8 and 
gave me a link to
documentation that indicated I need this in krb5.conf under [libdefaults]:

dpks -s libkrb5-3

Package: libkrb5-3
Status: install ok installed
Priority: standard
Section: libs
Installed-Size: 888
Maintainer: Sam Hartman<hartmans at debian.org>
Architecture: i386
Source: krb5
Version: 1.8+dfsg~alpha1-4
Replaces: libkrb53 (<<  1.6.dfsg.4~beta1-7)
Depends: libc6 (>= 2.9), libcomerr2 (>= 1.34), libk5crypto3 (>= 1.8+dfsg~alpha1), libkeyutils1, libkrb5support0 (= 1.8+dfsg~alpha1-4)
Suggests: krb5-doc, krb5-user
Conflicts: libapache-mod-auth-kerb (<= 4.996-5.0-rc6-2), libapache2-mod-auth-kerb (<= 4.996-5.0-rc6-2), ssh-krb5 (<<  3.8.1p1-10)
Description: MIT Kerberos runtime libraries
  Kerberos is a system for authenticating users and services on a network.
  Kerberos is a trusted third-party service.  That means that there is a
  third party (the Kerberos server) that is trusted by all the entities on
  the network (users and services, usually called "principals").
  This is the MIT reference implementation of Kerberos V5.
  This package contains the runtime library for the main Kerberos v5 API
  used by applications and Kerberos clients.

Enabling DES has only been mostly successful.  One system running stable 
(3.2.5) could now rejoin the domain, shares are accessible, but getent 
and wbinfo give no output.

The other system running testing (3.4.3) still gives the encryption 
error on a testjoin, shows correct info with getent and wbinfo (now 
minus the panics), and allows access to shares
based on user permissions, but fails with group permissions.  An attempt 
to rejoin the domain still fails.  However, winbind has never worked for 
me in testing, so this doesn't really
mean much.

I see that libkrb5-3 is being updated again today to 1.8+dfsg~alpha1-5 
and will try it as soon as apt-get update quits throwing "Hash sum 
mismatch" errors.
Additionally, I will attempt Samba unstable (3.4.5).

There are still errors, but things are improving.  Advice is very welcome.


More information about the samba mailing list