Bug #330
Cancelled support for DES in Heimdal Kerberos breaks Samba Winbind
| Status: | Closed | Start date: | 03/17/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Leonardo Arena |
% Done: | 100% |
|
| Category: | Aports | |||
| Target version: | Alpine 1.10.1 |
Description
When trying to run net ads join in Alpine 1.10, you get the following error:
2010/03/17 08:27:38, 0] libads/sasl.c:819(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type Failed to join domain: failed to connect to AD: Program lacks support for encryption type
The versions are Heimdal Kerberos 1.3.1 and Samba 3.4.7.
After some investigation I found the following:- Heimdal removed support for DES encryption in 1.3.0
- Samba makes its own krb5.conf at the following location:
/var/cache/samba/smb_krb5/krb5.conf.DOMAIN
- MIT kerberos has experienced similar problems when removing DES encryption: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977 * This was fixed upstream by MIT kerberos filtering weak encryption instead of rejecting it. Could this be done by Heimdal Kerberos as well?
- Samba turns on weak encryption by default in it's krb5.conf.DOMAIN
- Heimdal Kerberos rejects this because it contains weak encryption types
Suggested solutions¶
- Heimdal Kerberos should filter it instead, as MIT Kerberos does in 1.8 alpha1
- Samba should remove deprecated weak encryption from it's krb5.conf.DOMAIN
It is possible to turn on weak encryption in Heimdal kerberos by adding allow_weak_crypto=yes to krb5.conf, but this is not transferred to Samba's krb5.conf.DOMAIN
Background info¶
/var/cache/samba/smb_krb5/krb5.conf.DOMAIN contains:
[libdefaults]
default_realm = DOMAIN.FQDN
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
[realms]
DOMAIN.FQDN = {
kdc = 10.0.0.11
kdc = 10.0.0.12
kdc = 10.0.0.12
}
Which is different from my /etc/kerberos/krb5.conf.
This file is generated by libads in samba 3, more specifically: source3/libads/kerberos.c function create_local_private_krb5_conf_for_domain which seems to take the kdc and REALM settings from somewhere, and is hardcoding the rest of the crypto information.
History
Updated by Natanael Copa almost 2 years ago
enabling allow_weak_crypto in krb5.conf seems to allow you actually join the domain. However you still get the error message below when running net ads testjoin
[2010/03/17 14:26:44, 0] libads/sasl.c:819(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [2010/03/17 14:26:44, 0] libads/sasl.c:819(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type Join to domain is not valid: Undetermined error
wbinfo -g will still list your groups.
Updated by Natanael Copa almost 2 years ago
Sent request upstream: http://article.gmane.org/gmane.comp.encryption.kerberos.heimdal.general/5280
Updated by Leonardo Arena almost 2 years ago
Updated by Natanael Copa almost 2 years ago
- Category set to Aports
- Status changed from New to Resolved
- Assignee set to Leonardo Arena
- Target version set to Alpine 1.10.1
- % Done changed from 0 to 100
that solved it.
Thansk alot!
Updated by Natanael Copa almost 2 years ago
- Status changed from Resolved to Closed