[Samba] winbind failure with libkrb5-3 1.8 in Debian *RENAMED*

Dale Schroeder dale at BriannasSaladDressing.com
Wed Jan 27 10:45:44 MST 2010

I have renamed this thread as the panics stopped when libkrb5-3, et.al. 
were upgraded to 1.8.
However, bigger problems are now occurring.  See below.

On 01/27/2010 10:13 AM, Volker Lendecke wrote:
> On Wed, Jan 27, 2010 at 04:05:46AM -0800, Steve Langasek wrote:
>> On Tue, Jan 26, 2010 at 02:22:36PM -0800, Steve Langasek wrote:
>>> On Tue, Jan 26, 2010 at 05:03:51PM -0500, Sam Hartman wrote:
>>>>>>>>> "Steve" == Steve Langasek<vorlon at debian.org>  writes:
>>>>      Steve>  On Tue, Jan 26, 2010 at 01:29:08PM -0500, Sam Hartman wrote:
>>>>      >>  OK.  Can someone on the Samba side confirm that the Linux kernel
>>>>      >>  only supports DES for some Samba related Kerberos operation?
>>>>      >>  Specific details on what is going on would be useful.
>>>>      Steve>  The kernel is only involved when one is using CIFS mounts,
>>>>      Steve>  which aren't relevant to winbind and domain joining; so this
>>>>      Steve>  shouldn't be a kernel issue.
>>>> OK.  Then I currently have no idea why allow_weak_crypto would be
>>>> desirable for Samba.
>>> In the case of AD realms that were continuously upgraded from NT4 domains,
>>> you may have accounts only using RC4 as an enctype for
>>> backwards-compatibility with pre-AD systems.  I don't know if this is the
>>> reason these users are seeing problems, but it's the only case I can think
>>> of why allow_weak_crypto should be needed.
>> Sorry, having looked at the source now, I see that the weak crypto handling
>> is specific to DES, not RC4; and if Samba were *only* using RC4, this error
>> would not happen.
>> However, Samba requests both RC4 and DES, a historical remnant of the time
>> when DES was the only enctype in common between all Kerberos
>> implementations.
> Referring to the SUBJECT: Where is this leading to a panic
> in Samba 3.4, I got lost in the meantime.
> Volker

Now, winbind simply doesn't work in 3.4.3 nor in 3.4.5, the latter which 
I tested this morning.

The 3.4.5 testing was done with libkrb5-3 1.8+dsfg~alpha1-5, upgraded 
from alpha1-4.
This also includes setting
in krb5.conf; however, the encryption error message returns when testing 
the join or doing kinit.

[date time, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks 
support for encryption type.
[repeat above two lines]
Join to domain is not valid: Undetermined error

I guess I should retest stable to see what that yields.


More information about the samba mailing list