[Pkg-samba-maint] Bug#566977: samba-common-bin: 'net ads join' fails against Windows 2003 domain with 'Program lacks support for encryption type'

Holger Isenberg isenberg at e-spirit.com
Tue Jan 26 09:09:18 UTC 2010 

Package: samba-common-bin
Version: 2:3.4.3-2
Severity: normal


After dist-upgrade from lenny to squeeze, joining an Active Directory
Windows 2003 domain fails. Even downgrading Samba to 3.2.5 from lenny
without changing kerberos libs did not help,
neither upgrading Samba to 3.4.5 from unstable
and using kerberos libs from unstable.

Kerberos itself with kinit works.

# kinit administrator
Password for administrator at E-SPIRIT.DE: 

# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at E-SPIRIT.DE

Valid starting     Expires            Service principal
01/26/10 09:43:15  01/26/10 19:43:19  krbtgt/E-SPIRIT.DE at E-SPIRIT.DE
renew until 01/27/10 09:43:15, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5 

# net -d9 ads join -U administrator
[...]
2010/01/26 09:33:22,  0] libads/sasl.c:819(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks
support for encryption type
[2010/01/26 09:33:22,  1] libnet/libnet_join.c:1903(libnet_Join)
  libnet_Join:
      libnet_JoinCtx: struct libnet_JoinCtx
          out: struct libnet_JoinCtx
              account_name             : NULL
              netbios_domain_name      : 'E-SPIRIT'
              dns_domain_name          : 'e-spirit.de'
              forest_name              : 'e-spirit.de'
              dn                       : NULL
              domain_sid               : *
                  domain_sid               :
S-1-5-21-567673327-774986681-227697207
              modified_config          : 0x00 (0)
              error_string             : 'failed to connect to AD:
Program lacks support for encryption type'
              domain_is_ad             : 0x01 (1)
              result                   : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: Program lacks support
for encryption type
[2010/01/26 09:33:22,  2] utils/net.c:779(main)
  return code = -1


/etc/krb5.conf:
[libdefaults]
default_realm = E-SPIRIT.DE
clockskew = 600
forwardable = true
proxiable = true

[domain_realm]
.e-spirit.de = E-SPIRIT.DE
e-spirit.de = E-SPIRIT.DE


/etc/samba/smb.conf
[global]
   server string = Linux-Server 
   security = ads
   workgroup = E-SPIRIT
   realm = E-SPIRIT.DE
   kerberos method = system keytab
   #use kerberos keytab = true
   #template primary group = users
   template homedir = /home/%U
   template shell = /bin/bash
   idmap uid = 1100-9000
   idmap gid = 1100-9000
   winbind uid = 1100-9000
   winbind gid = 1100-9000
   winbind separator = +
   winbind cache time = 10
   winbind use default domain = yes
   winbind nested groups = yes
   winbind enum users = no
   winbind enum groups = no
   
   username map = /etc/samba/smbusers
   guest account = nobody
   invalid users = root

   encrypt passwords = true
   load printers = no
   map to guest = Bad User

   log file = /var/log/samba/smb_%M.log
   max log size = 10000
   syslog = 0

   local master = no
   os level = 33
   domain master = no
   preferred master = no
   domain logons = no
   wins support = no
   wins proxy = no
   dns proxy = yes
   name resolve order = host bcast

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   veto files = /Thumbs.db/.thumbnails/.DS_Store/.xvpics/
   delete veto files = yes


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages samba-common-bin depends on:
ii  libc6                  2.10.2-2          GNU C Library: Shared libraries
ii  libcap2                1:2.17-2          support for getting/setting POSIX.
ii  libcomerr2             1.41.9-1          common error description library
ii  libgssapi-krb5-2       1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - k
ii  libk5crypto3           1.8+dfsg~alpha1-4 MIT Kerberos runtime libraries - C
ii  libkrb5-3              1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries
ii  libldap-2.4-2          2.4.17-2.1        OpenLDAP libraries
ii  libncurses5            5.7+20090803-2    shared libraries for terminal hand
ii  libpopt0               1.15-1            lib for parsing cmdline parameters
ii  libreadline6           6.1-1             GNU readline and history libraries
ii  libtalloc2             2.0.1-1           hierarchical pool based memory all
ii  libuuid1               2.16.2-0          Universally Unique ID library
ii  libwbclient0           2:3.4.5~dfsg-1    Samba winbind client library
ii  samba-common           2:3.4.3-2         common files used by both the Samb
ii  zlib1g                 1:1.2.3.4.dfsg-3  compression library - runtime

samba-common-bin recommends no packages.

samba-common-bin suggests no packages.

-- no debconf information

More information about the Pkg-samba-maint mailing list