After days of tests it seems it's a kerberos tickets forwarding problem,
smbclient replying with an spnego error claiming a lack of information from
kerberos.
The group resolving problem looks like an issue with ticket forwarding
(forwardable and forward true in appdefaults): the filer requires
If Allow_weak_crypto = true is making things work better with Windows,
something is broken somewhere else to cause this.
Without this parameter in krb5.conf the auth against the ADS to access
services like http goes wrong and asks fora login/pass instead of using
the kerberos tickets,
packages:
9.04 : krb5-user 1.6.dfsg.4~beta1-5ubuntu2.2 with likewise-open5
5.0.3991.1-0ubuntu2
10.04 : krb5-user 1.8.1+dfsg-2 with likewise 5.3.0-1
--
krb5 and ADS error using 10.04, not 9.04
https://bugs.launchpad.net/bugs/567188
You received this bug notification because you are a member of
The errors are the results of MIT resolution to exclude DES/DES3 from the
supported enctypes (security reasons).
The parameter allow_weak_crypto = true should be added in the default
[libdefaults] section of /etc/krb5.conf.
Adding this parameter solved the errors of the original bug report but