[Samba] winbind failure with libkrb5-3 1.8 in Debian *RENAMED*

[Dale Schroeder]

I have renamed this thread as the panics stopped when libkrb5-3, et.al. 
were upgraded to 1.8.
However, bigger problems are now occurring.  See below.
On 01/27/2010 10:13 AM, Volker Lendecke wrote:
On Wed, Jan 27, 2010 at 04:05:46AM -0800, Steve Langasek wrote:
   
On Tue, Jan 26, 2010 at 02:22:36PM -0800, Steve Langasek wrote:
     
On Tue, Jan 26, 2010 at 05:03:51PM -0500, Sam Hartman wrote:
       
"Steve" == Steve Langasek<vor...@debian.org>  writes:
                   
     
     Steve>  On Tue, Jan 26, 2010 at 01:29:08PM -0500, Sam Hartman wrote:
     >>  OK.  Can someone on the Samba side confirm that the Linux kernel
     >>  only supports DES for some Samba related Kerberos operation?
     >>  Specific details on what is going on would be useful.
         
     
     Steve>  The kernel is only involved when one is using CIFS mounts,
     Steve>  which aren't relevant to winbind and domain joining; so this
     Steve>  shouldn't be a kernel issue.
         
     
OK.  Then I currently have no idea why allow_weak_crypto would be
desirable for Samba.
         
     
In the case of AD realms that were continuously upgraded from NT4 domains,
you may have accounts only using RC4 as an enctype for
backwards-compatibility with pre-AD systems.  I don't know if this is the
reason these users are seeing problems, but it's the only case I can think
of why allow_weak_crypto should be needed.
       
Sorry, having looked at the source now, I see that the weak crypto handling
is specific to DES, not RC4; and if Samba were *only* using RC4, this error
would not happen.

However, Samba requests both RC4 and DES, a historical remnant of the time
when DES was the only enctype in common between all Kerberos
implementations.
     
Referring to the SUBJECT: Where is this leading to a panic
in Samba 3.4, I got lost in the meantime.

Volker
   

Now, winbind simply doesn't work in 3.4.3 nor in 3.4.5, the latter which 
I tested this morning.

The 3.4.5 testing was done with libkrb5-3 1.8+dsfg~alpha1-5, upgraded 
from alpha1-4.
This also includes setting
    allow_weak_crypto=true
in krb5.conf; however, the encryption error message returns when testing 
the join or doing kinit.

[date time, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks 
support for encryption type.
[repeat above two lines]
Join to domain is not valid: Undetermined error

I guess I should retest stable to see what that yields.

Dale




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba