Re: [Samba] net ads join to w2k3 hangs, every encryption type fails

[arcetrax]

Hi!
I'm having the same issue: Linux Box with RedHat 3 joining a windows 2003
AD. When doing net ads join the system reports

[2007/03/12 17:27:36, 5] libads/kerberos.c:get_service_ticket(367)
  get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 16
failed: KDC has no support for encryption type
[2007/03/12 17:27:36, 3]
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552)
  verify_service_password: get_service_ticket failed: KDC has no support for
encryption type
[2007/03/12 17:27:36, 10] libads/kerberos.c:verify_service_password(465)
  verify_service_password: decrypted message with enctype 1 salt
HOST/[EMAIL PROTECTED]
[2007/03/12 17:27:36, 10] libads/kerberos.c:verify_service_password(465)
  verify_service_password: decrypted message with enctype 3 salt
HOST/[EMAIL PROTECTED]
[2007/03/12 17:27:36, 5] libads/kerberos.c:get_service_ticket(367)

but then it ends with 

Joined 'SAENET01' to realm 'ABC.COM'
[2007/03/12 17:27:36, 2] utils/net.c:main(897)
  return code = 0

and in the windows 2003 the server appears as registered. 

However, when launching samba, I get the following errors

[2007/03/12 17:32:49, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)

and when trying to authenticate with a user


check_ntlm_password:  Authentication for user [e0045146] - [e0045146]
FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
[2007/03/12 17:34:08, 3] smbd/error.c:error_packet(129)

Any help will be much appreciated!!

Arcetrax
-- 
View this message in context: 
http://www.nabble.com/net-ads-join-to-w2k3-hangs%2C-every-encryption-type-fails-tf3343350.html#a9436885
Sent from the Samba - General mailing list archive at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] net ads join to w2k3 hangs, every encryption type fails

[vincas-samba]

I am able to get a kerberos ticket with kinit.  When I try to net ads join, it 
seems to loop.  In running net ads join in -d 10, 
I found that it tries enctypes 18,17,16,and 2 and then repeats, over and over.  
It does not seem to work on any of these.  I'm 
trying to get it to join a win2k3 domain.  Below is the bottom part of the log 
from net ads join, as well as some of my 
krb5.conf.  Any help would be appreciated, I'm at a loss here.

 
[logging]
default = FILE1:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = BLANKENSHIP.LOCAL
default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts 
arcfour-hmac-md5
#   default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 
aes256-cts arcfour-hmac-md5
#   default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 
aes256-cts arcfour-hmac-md5
clockskew = 300
  



[2007/03/04 12:21:47, 5] libads/kerberos.c:get_service_ticket(367)
  get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 18 
failed: KDC has no support for 
encryption type
[2007/03/04 12:21:47, 3] 
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552)
  verify_service_password: get_service_ticket failed: KDC has no support for 
encryption type
[2007/03/04 12:22:17, 5] libads/kerberos.c:get_service_ticket(367)
  get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 17 
failed: KDC has no support for 
encryption type
[2007/03/04 12:22:17, 3] 
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552)
  verify_service_password: get_service_ticket failed: KDC has no support for 
encryption type
[2007/03/04 12:22:47, 5] libads/kerberos.c:get_service_ticket(367)
  get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 16 
failed: KDC has no support for 
encryption type
[2007/03/04 12:22:47, 3] 
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552)
  verify_service_password: get_service_ticket failed: KDC has no support for 
encryption type
[2007/03/04 12:24:17, 5] libads/kerberos.c:get_service_ticket(367)
  get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 2 
failed: KDC has no support for 
encryption type
[2007/03/04 12:24:17, 3] 
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552)
  verify_service_password: get_service_ticket failed: KDC has no support for 
encryption type
[2007/03/04 12:24:49, 5] libads/kerberos.c:get_service_ticket(367)
  get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 18 
failed: KDC has no support for 
encryption type
[2007/03/04 12:24:49, 3] 
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552)
  verify_service_password: get_service_ticket failed: KDC has no support for 
encryption type
[2007/03/04 12:25:20, 5] libads/kerberos.c:get_service_ticket(367)
  get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 17 
failed: KDC has no support for 
encryption type
[2007/03/04 12:25:20, 3] 
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552)
  verify_service_password: get_service_ticket failed: KDC has no support for 
encryption type
[2007/03/04 12:25:50, 5] libads/kerberos.c:get_service_ticket(367)
  get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 16 
failed: KDC has no support for 
encryption type
[2007/03/04 12:25:50, 3] 
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552)
  verify_service_password: get_service_ticket failed: KDC has no support for 
encryption type
[2007/03/04 12:27:22, 5] libads/kerberos.c:get_service_ticket(367)
  get_service_ticket: krb5_get_credentials for [EMAIL PROTECTED] enctype 2 
failed: KDC has no support for 
encryption type
[2007/03/04 12:27:22, 3] 
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552)
  verify_service_password: get_service_ticket failed: KDC has no support for 
encryption type
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba