[Samba] FYI: One Possible Resolution to "KDC has no support for encryption type"

E R fasteddieinaustin at gmail.com
Fri Feb 3 23:36:56 UTC 2023

As part of continuous improvement I wanted to update my Samba AD member
server (ads) to flip the setting for "kerberos encryption types" from the
default of "all" to "strong" to move one step closer to getting rid of RC4
as I know that is coming.  But when I ran a "net ads join -U administrator"
I received a error "kerberos_kinit_password Administrator at DOMAIN.COM
failed: KDC has no support for encryption type".  Curiously the domain join
actually appeared to work as I had an AD object for the Samba server in the
Windows AD.  If I used my own account for the domain join, I did not
receive the error message.  And changing the setting back to "all" did not
cause the error message to appear.

After quite a bit of reading and reviewing settings, what I found was that
the password for this account has not been changed since the AD forest was
changed from a functional level of 2003 to 2012 R2.  As I understand
the AES tech was added in Server 2008/Windows 7.  I changed the password
twice (once to a new password and again back to the same password since
there are undoubtedly things using the password).  Viola!  No more error
message when I join the domain with the domain administrator account and I
feel confident that I can now set the option to use "strong" on the
production server in the near future.

More information about the samba mailing list