From: dale on
Alex,

I've been a victim of this since Day 1. After a lot of reading and emailing, it comes down to this. libkrb5-3 version 1.8x by default disallows DES encryption. /etc/krb5.conf can be changed to allow weak encryption, but as it relates to Samba, is only effective in letting the system join the domain. For it's internal functioning, winbind uses an autogenerated krb5.conf that resides in /var/run/samba. This krb5.conf has no knowledge of allow_weak_crypto=true. Sam Hartman, the maintainer of libkrb5-3 in Debian, has taken over the responsibility of fixing that package, rather than the Samba maintainers doing a change there. In the interim, winbind is broken with libkrb5-3 version 1.8x. We can only hope this fix is soon coming.

Dale


-----Original message-----
From: "Wilkinson, Alex" alex.wilkinson(a)dsto.defence.gov.au
Date: Fri, 12 Feb 2010 21:54:26 -0600
To: samba(a)lists.samba.org
Subject: Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lacks supportfor encryption type [SEC=UNCLASSIFIED]

> Anyone ?
>
> -Alex
>
> 0n Thu, Feb 11, 2010 at 08:00:57PM +0800, Wilkinson, Alex wrote:
>
> >Hi all,
> >
> >According to this bug report:
> >http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977
> >
> >This particular error is actually a bug in the samba code.
> >
> >Does anyone know if there are patches that fix this ?
> >
> >Adding "allow_weak_crypto = true" to /etc/krb5.conf does not solve this for me :(
> >
> >Has anyone got a working solution for this ?
> >
> > -Alex
>
> IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Rob Townley on
On Sat, Feb 13, 2010 at 1:35 PM, <dale(a)briannassaladdressing.com> wrote:

> Alex,
>
> I've been a victim of this since Day 1. After a lot of reading and
> emailing, it comes down to this. libkrb5-3 version 1.8x by default
> disallows DES encryption. /etc/krb5.conf can be changed to allow weak
> encryption, but as it relates to Samba, is only effective in letting the
> system join the domain. For it's internal functioning, winbind uses an
> autogenerated krb5.conf that resides in /var/run/samba. This krb5.conf has
> no knowledge of allow_weak_crypto=true. Sam Hartman, the maintainer of
> libkrb5-3 in Debian, has taken over the responsibility of fixing that
> package, rather than the Samba maintainers doing a change there. In the
> interim, winbind is broken with libkrb5-3 version 1.8x. We can only hope
> this fix is soon coming.
>
> Dale
>
>
Instead of lowering the encryption level to something broken 12 years ago,
why not just remove DES from everywhere and replace with stronger encryption
types?

Microsoft is phasing out winbind for 2008, so i wonder what that means for
SaMBa winbind. i would hope to use an all kerberos/ldap solution for
authentication in order to continue Linux ADS interoperability.

Does anyone have a winbind_krb5_locator.so file? All i have on my system is
a docbook/manpage but no binary file. If it was there, it seems like it
would use /etc/krb5.conf instead of another.
http://samba.org/samba/docs/man/manpages-3/winbind_krb5_locator.7.html

Under Fedora, the referenced file winbind_krb5_locator.so is non
existant.


Another poster emailed that they tried changing the krb5.conf manually on
Debian Squeeze
(edited /var/run/samba/smb_krb5/krb5.conf.NETBIOSNAME) and when I
restart winbind, the file is clobbered back to the original. I think this is
in conjunction with a bug from Kerberos where if DES is specified as a
supported type, even if something else better is specified, Kerberos refuses
to play.

Here is what 3.4.5 is showing:
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5

It would be nice to have some sort of fix/workaround for this, it seems to
have blindsided us.

I just noticed Jeremy's post, yes it would be helpful to have a config
option to have all kerberos related options in /etc/krb5.conf and i wonder
if that is what the winbind_krb5_locator.so file is meant to do?




>
> -----Original message-----
> From: "Wilkinson, Alex" alex.wilkinson(a)dsto.defence.gov.au
> Date: Fri, 12 Feb 2010 21:54:26 -0600
> To: samba(a)lists.samba.org
> Subject: Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lacks
> supportfor encryption type [SEC=UNCLASSIFIED]
>
> > Anyone ?
> >
> > -Alex
> >
> > 0n Thu, Feb 11, 2010 at 08:00:57PM +0800, Wilkinson, Alex wrote:
> >
> > >Hi all,
> > >
> > >According to this bug report:
> > >http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977
> > >
> > >This particular error is actually a bug in the samba code.
> > >
> > >Does anyone know if there are patches that fix this ?
> > >
> > >Adding "allow_weak_crypto = true" to /etc/krb5.conf does not solve
> this for me :(
> > >
> > >Has anyone got a working solution for this ?
> > >
> > > -Alex
> >
> > IMPORTANT: This email remains the property of the Australian Defence
> Organisation and is subject to the jurisdiction of section 70 of the CRIMES
> ACT 1914. If you have received this email in error, you are requested to
> contact the sender and delete the email.
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Rob Townley on
On Sat, Feb 13, 2010 at 8:57 PM, Jeremy Allison <jra(a)samba.org> wrote:
> On Sat, Feb 13, 2010 at 01:35:12PM -0600, dale(a)briannassaladdressing.com wrote:
>> Alex,
>>
>> I've been a victim of this since Day 1. After a lot of reading and emailing, it comes down to this. libkrb5-3 version 1.8x by default disallows DES encryption. /etc/krb5.conf can be changed to allow weak encryption, but as it relates to Samba, is only effective in letting the system join the domain. For it's internal functioning, winbind uses an autogenerated krb5.conf that resides in /var/run/samba. This krb5.conf has no knowledge of allow_weak_crypto=true. Sam Hartman, the maintainer of libkrb5-3 in Debian, has taken over the responsibility of fixing that package, rather than the Samba maintainers doing a change there. In the interim, winbind is broken with libkrb5-3 version 1.8x. We can only hope this fix is soon coming.
>
> In Samba 3.5.0 there is a parameter "create krb5 conf" that controls
> if this private krb5.conf file is created or not. Would it be helpful
> for this to be back ported to earlier versions ?
>
> Jeremy.

i do not want any weak encryption on my systems.

If "create krb5 conf = no" in smb.conf means, that i can
specify RC4 and AES in /etc/krb5.conf and then winbind will honor and
not create a ghost krb5.conf.NEBIOSDOMAINNAME, i would greatly
appreciate it being backported.
Of course, i run CentOS 5 and that uses 3.0.33. How far back is realistic?

> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Robert LeBlanc on
On Tue, Feb 23, 2010 at 8:32 PM, Rob Townley <rob.townley(a)gmail.com> wrote:

> On Sat, Feb 13, 2010 at 8:57 PM, Jeremy Allison <jra(a)samba.org> wrote:
> > On Sat, Feb 13, 2010 at 01:35:12PM -0600, dale(a)briannassaladdressing.comwrote:
> >> Alex,
> >>
> >> I've been a victim of this since Day 1. After a lot of reading and
> emailing, it comes down to this. libkrb5-3 version 1.8x by default
> disallows DES encryption. /etc/krb5.conf can be changed to allow weak
> encryption, but as it relates to Samba, is only effective in letting the
> system join the domain. For it's internal functioning, winbind uses an
> autogenerated krb5.conf that resides in /var/run/samba. This krb5.conf has
> no knowledge of allow_weak_crypto=true. Sam Hartman, the maintainer of
> libkrb5-3 in Debian, has taken over the responsibility of fixing that
> package, rather than the Samba maintainers doing a change there. In the
> interim, winbind is broken with libkrb5-3 version 1.8x. We can only hope
> this fix is soon coming.
> >
> > In Samba 3.5.0 there is a parameter "create krb5 conf" that controls
> > if this private krb5.conf file is created or not. Would it be helpful
> > for this to be back ported to earlier versions ?
> >
> > Jeremy.
>
> i do not want any weak encryption on my systems.
>
> If "create krb5 conf = no" in smb.conf means, that i can
> specify RC4 and AES in /etc/krb5.conf and then winbind will honor and
> not create a ghost krb5.conf.NEBIOSDOMAINNAME, i would greatly
> appreciate it being backported.
> Of course, i run CentOS 5 and that uses 3.0.33. How far back is realistic?
>
> With the latest update on Debian, you don't have to enable weak encryption
types. Kerberos now silently ignores the DES options and only uses the RC4
to communicate with the domain controllers. I do not have
'enable_weak_crypto' in my krb5.conf files and it works fine now.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba