Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#17522 - [samba] Program lacks support for encryption type error

Attached to Project: Arch Linux
Opened by Peter Csepely (Thief_hu) - Tuesday, 15 December 2009, 19:02 GMT
Last edited by Tobias Powalowski (tpowa) - Sunday, 06 March 2011, 10:12 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Tobias Powalowski (tpowa)
Architecture x86_64
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 6
Private No

Details

Description:

I use Samba as a domain member in W2K3 AD with some shares, authentication with winbind. After system upgrade:
- samba (3.4.3-3 -> 3.4.3-4)
- heimdal (1.2.1-7 -> 1.3.1-2)
- tdb (3.4.3-3 -> 3.4.3-4)
- libldap (2.4.19-1 -> 2.4.20-1)
- smbclient (3.4.3-3 -> 3.4.3-4)

wbinfo -[u|w] produces "Error looking up domain users" or nothing.

In log the following lines appear:

winbindd[25642]: [2009/12/15 16:42:18, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
winbindd[25642]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type

winbindd/winbindd_ads.c:127(ads_cached_connection)
ads_connect for domain [domain] failed: Program lacks support for encryption type

but a "net rpc join -S [PDC] -U [user]" joins successfully.

smb.conf:

security = DOMAIN
[...]
password server = [PDC]
local master = no
domain master = no
winbind separator = \\
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
valid users = [valid user]
auth methods = guest, sam, winbind
template shell = /bin/bash
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Sunday, 06 March 2011, 10:12 GMT
Reason for closing:  Fixed
Comment by Andrea Scarpino (BaSh) - Tuesday, 15 December 2009, 22:04 GMT
maybe is something related to libldap, please try to downgrade to 2.4.19-1
Comment by Peter Csepely (Thief_hu) - Wednesday, 16 December 2009, 08:59 GMT
After downgrading libldap wbinfo returns nothing.

Errors in log still remains.

More log entries:

==> /var/log/daemon.log <==
Dec 16 09:57:44 ph031 winbindd[12964]: [2009/12/16 09:57:44, 0] winbindd/winbindd_cache.c:2578(initialize_winbindd_cache)

==> /var/log/samba/winbindd.log <==
[2009/12/16 09:57:44, 0] winbindd/winbindd_cache.c:2578(initialize_winbindd_cache)

==> /var/log/daemon.log <==
Dec 16 09:57:44 ph031 winbindd[12964]: initialize_winbindd_cache: clearing cache and re-creating with version number 1

==> /var/log/daemon.log <==
Dec 16 09:57:44 ph031 winbindd[12966]: [2009/12/16 09:57:44, 0] libads/sasl.c:819(ads_sasl_spnego_bind)

==> /var/log/daemon.log <==
Dec 16 09:57:44 ph031 winbindd[12966]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type

==> /var/log/samba/winbindd.log <==
[2009/12/16 09:57:44, 1] winbindd/winbindd_util.c:303(trustdom_recv)
Could not receive trustdoms

Any suggestion?
Comment by Kari Päivärinta (thlayli) - Thursday, 17 December 2009, 13:01 GMT
Having the same problems after upgrading yesterday..
Comment by Peter Csepely (Thief_hu) - Monday, 21 December 2009, 08:14 GMT
More log entries from log.wb-[DOMAIN NAME]

[2009/12/21 09:03:29, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket)
cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type)
[2009/12/21 09:03:29, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket)
cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type)
[2009/12/21 09:03:29, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type
[2009/12/21 09:03:29, 1] winbindd/winbindd_ads.c:127(ads_cached_connection)
ads_connect for domain [DOMAIN NAME] failed: Program lacks support for encryption type
[2009/12/21 09:03:34, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket)
cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type)
[2009/12/21 09:03:34, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket)
cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type)
[2009/12/21 09:03:34, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type
[2009/12/21 09:03:34, 1] winbindd/winbindd_ads.c:127(ads_cached_connection)
ads_connect for domain [DOMAIN NAME] failed: Program lacks support for encryption type
[2009/12/21 09:08:34, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket)
cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type)
[2009/12/21 09:08:34, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket)
cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type)
[2009/12/21 09:08:34, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type
[2009/12/21 09:08:34, 1] winbindd/winbindd_ads.c:127(ads_cached_connection)
ads_connect for domain [DOMAIN NAME] failed: Program lacks support for encryption type

I hope it helps.
Comment by partner55083777 (partner55083777) - Wednesday, 23 December 2009, 21:28 GMT
I'm getting a similar error. Commands like `net ads info` work, but `net ads join -U admin` will give me an error like this:

[2009/12/23 11:18:46, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type
Failed to join domain: failed to connect to AD: Program lacks support for encryption type

Here is the relevant section of my smb.conf (output from testparm):

[global]
workgroup = (DELETED)
realm = (DELETED)
security = ADS
password server = (DELETED)
log level = 3
domain master = No
idmap uid = 5000-10000000
idmap gid = 5000-10000000
template shell = /bin/bash
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
Comment by partner55083777 (partner55083777) - Wednesday, 23 December 2009, 22:45 GMT
Oh, one more thing. I tried downgrading, and everything works for me using these package versions:

smbclient-3.4.3-2-x86_64
samba-3.4.3-2-x86_64
heimdal-1.2.1-7-x86_64

It might also work with samba-3.4.3-3, I didn't check.
Comment by Andrea Scarpino (BaSh) - Thursday, 24 December 2009, 01:03 GMT
assigned to wonder because it built samba for last, and to Allan too
Comment by partner55083777 (partner55083777) - Thursday, 24 December 2009, 13:14 GMT
Do you guys need anything else from me for debugging purposes? I'm running this all under a virtual machine, so it's not hard to mess with different configurations.
Comment by Phil Uithoven (puithove) - Wednesday, 13 January 2010, 17:36 GMT
I can confirm seeing same errors in my logs. Currently unable to authenticate using domain user accounts. This installation was working previously - no changes to config files.
Comment by Alexander Abramov (yzzy) - Friday, 15 January 2010, 05:39 GMT
I confirm this error on i686 packages. After upgrading samba and smbclient to 3.4.4-1 error still remains. I think there's a problem in heimdal package.
Comment by Thorsten Hoffleit (thoffleit) - Friday, 15 January 2010, 09:15 GMT
Before upgrading packages in early December '09, for me too samba as a W2k3 AD member had worked fine for well over 8 months.

Today, for testing purposes, I ran kinit in two different scenarios: #1) with samba installed, #2) after removing the samba package and rebooting.

In both cases, the result was the same:

# kinit administrator@MY.DOMAIN.TLD
administrator@MY.DOMAIN.TLD's Password:
kinit: krb5_get_init_creds: KDC has no support for encryption type

I think this would confirm Alexander's assumption of not samba but heimdal 1.3.1-2 possibly having a problem.

A word of caution, just in case anyone wants to reproduce the above #2: Before rebooting, please make sure to comment out all references to pam_winbind.so in your /etc/pam.d/login, /etc/pam.d/su and /etc/pam.d/sudo files. Else, after rebooting you might no longer be able to log in or become root. Guess who that happened to? ;-)

EDIT: Sorry, it might have just been a wrongly configured /etc/krb5.conf on my machine... Now (still without samba) kinit can get tickets without any error messages. I don't have time this weekend but I am going to reinstall samba in a few days to further troubleshoot.
Comment by Rob Schrack (rschrack) - Saturday, 16 January 2010, 16:37 GMT

I was hopeful with the kernel & samba updates, but no luck here either. kinit works, joining domain still fails.

# uname -a
Linux localhost 2.6.32-ARCH #1 SMP PREEMPT Thu Jan 7 22:28:29 CET 2010 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 3600+ AuthenticAMD GNU/Linux
# kinit rob@SCHRACK.NET
rob@SCHRACK.NET's Password:
# net ads join -U rob
Enter rob's password:
[2010/01/16 11:17:43, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type
Failed to join domain: failed to connect to AD: Program lacks support for encryption type
# pacman -Q samba
samba 3.4.4-1
# pacman -Q heimdal
heimdal 1.3.1-2
Comment by Robert Schuster (trebor) - Tuesday, 19 January 2010, 08:27 GMT
I also get this problem at my Sidux-Linux-PC, if the command kinit administrator@DOMAIN_NAME.COM is send to the domain-controler from the linux bash.
I get this at my bash-console:
kinit: relocation error: /usr/lib/libdes425.so.3: symbol des_IP_table, version k5crypto_3_MIT not defined in file libk5crypto.so.3 with link time reference
The other Command net ads join produce the same error, which was descriped above.
Comment by Macfly (macfly) - Tuesday, 19 January 2010, 09:45 GMT
My two cents, same problem for me it only works with heimdal 1.2.1 and samba 3.3.8.

I try to update samba to 3.4.4 with heimdal 1.2.1 but samba doesn't work, it looks for a missing lib (I think PKGBUILD need to be update to dependencies=('heimdal=>1.3-1') ). I try to rebuild samba 3.4.4 from PKGBUILD to link (I want to look if it's samba problem or heimdal) on heimdal 1.2.1 but compilation failed on

Compiling lib/netapi/samr.c
lib/netapi/samr.c: In function ‘libnetapi_samr_open_domain’:
lib/netapi/samr.c:47: error: expected expression before ‘struct’
lib/netapi/samr.c:47: warning: assignment makes pointer from integer without a cast
lib/netapi/samr.c: In function ‘libnetapi_samr_open_builtin_domain’:
lib/netapi/samr.c:169: error: expected expression before ‘struct’
lib/netapi/samr.c:169: warning: assignment makes pointer from integer without a cast
lib/netapi/samr.c: In function ‘libnetapi_samr_close_domain_handle’:
lib/netapi/samr.c:243: error: expected expression before ‘struct’
lib/netapi/samr.c:243: warning: assignment makes pointer from integer without a cast
lib/netapi/samr.c: In function ‘libnetapi_samr_close_builtin_handle’:
lib/netapi/samr.c:267: error: expected expression before ‘struct’
lib/netapi/samr.c:267: warning: assignment makes pointer from integer without a cast
lib/netapi/samr.c: In function ‘libnetapi_samr_close_connect_handle’:
lib/netapi/samr.c:291: error: expected expression before ‘struct’
lib/netapi/samr.c:291: warning: assignment makes pointer from integer without a cast
lib/netapi/samr.c: In function ‘libnetapi_samr_free’:
lib/netapi/samr.c:314: error: expected expression before ‘struct’
lib/netapi/samr.c:314: warning: assignment makes pointer from integer without a cast
The following command failed:
gcc -march=x86-64 -mtune=generic -O2 -pipe -I. -I/var/abs/extra/samba/src/samba-3.4.4/source3 -I/var/abs/extra/samba/src/samba-3.4.4/source3/iniparser/src -Iinclude -I./include -I. -I. -I./../lib/replace -I./../lib/tevent -I./../lib/tdb/include -I./libaddns -I./librpc -I./.. -DHAVE_CONFIG_H -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -Iinclude -I./include -I. -I. -I./../lib/replace -I./../lib/tevent -I./../lib/tdb/include -I./libaddns -I./librpc -I./.. -I./../lib/popt -DLDAP_DEPRECATED -I/var/abs/extra/samba/src/samba-3.4.4/source3/lib -I.. -I../source4 -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC -c lib/netapi/samr.c -o lib/netapi/samr.o
make: *** [lib/netapi/samr.o] Error 1
Comment by Macfly (macfly) - Tuesday, 19 January 2010, 10:24 GMT
I make a new try with heimdal 1.3-1, kinit is now working for me :

# kinit administrateur@AD.LBN.FR
administrateur@AD.LBN.FR's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrateur@AD.LBN.FR

Issued Expires Principal
Jan 19 11:17:26 Jan 19 21:17:20 krbtgt/AD.LBN.FR@AD.LBN.FR

I try samba 3.4.4-1 with heimdal 1.3 samba complayne when start :
/usr/sbin/smbd: error while loading shared libraries: libhx509.so.4: cannot open shared object file: No such file or directory.

I try to fake samba with a symlink from /usr/lib/libhx509.so to /usr/lib/libhx509.so.4. After that samba start but when I try :

#wbinfo -u
Error looking up domain users
Comment by Benedikt (bbbarch) - Saturday, 23 January 2010, 09:44 GMT
I can confirm this error as well. After doing a complete system upgrade I am unable to connect to the AD. The errors I get are identical to those described above and I haven`t found a workaround yet.
Comment by Allan McRae (Allan) - Sunday, 24 January 2010, 02:20 GMT
So... has anyone filed bug reports upstream? At least for samba.
Comment by Allan McRae (Allan) - Monday, 25 January 2010, 08:01 GMT
I do not use samba. Reassign to me if it turns out that heimdal need fixed.
Comment by Holoduke (Holoduke) - Tuesday, 26 January 2010, 20:37 GMT
I had the same problem. Adding allow_weak_crypto = true to libdefaults section in krb5.conf solved it.
See http://www.h5l.org/blog/index.php/2008/10/des-will-die-in-heimdal/ and http://www.h5l.org/blog/index.php/2009/11/heimdal-1-3-0-and-1-3-1/
Comment by Phil Uithoven (puithove) - Tuesday, 26 January 2010, 21:53 GMT
I can confirm that adding allow_weak_crypto = true returns me to a working state. Great find Holoduke. However I'm wondering if instead of allowing the deprecated DES encryption there is a way to switch to a supported encryption type.
Comment by Holoduke (Holoduke) - Tuesday, 26 January 2010, 23:45 GMT
I don't know enough about this topic, but as far as I know a proper solution would be to use Kerberos with AES. However Samba doesn't seem to support it yet. http://news.samba.org/ mentions beginning to implement AES support on 25 September 2009. Also, AES requires Windows Server 2008. Then Samba could authenticate itself as a domain member using a secure encryption type. But I have no idea if that also applies to clients authenticating to the Samba server. My guess is that DES will be required as long as there are pre-Vista clients around and the AD functional level is below Server 2008.
Comment by Natanael Copa (ncopa) - Wednesday, 17 March 2010, 15:26 GMT
i bet 'net ads testjoin' fails even if net join works.

Same as mit krb has:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977

what happens is, samba creates a temp
/var/cache/samba/smb_krb5/krb5.conf.NETBIOSDOMAINNAME which includes the DES encryption types. since those are invalid heimdal says: sorry no workey, instead of using the RC4 one also listed in the same temp krb conf.

There is also someone here reporting same issue: http://lists.samba.org/archive/samba/2009-December/152444.html

I htink there are 2 different ways to actually solve this:
1. remove DES from the temp samba file
2. patch heimdal should filter weak enctypes instead of reject on weak enctype (thats what mit and debian did)

I can provide a patch for first option but I'm not sure about second.
Comment by Natanael Copa (ncopa) - Wednesday, 17 March 2010, 15:39 GMT
i tried first option (patching samba) but didnt got it working.

I have sent a message upstream to heimdal-discuss:
http://thread.gmane.org/gmane.comp.encryption.kerberos.heimdal.general/5280
Comment by Greg (dolby) - Friday, 04 March 2011, 03:47 GMT
Well, the patch worked for you but didnt bother reporting here. Is it already merged? It should be..
Comment by Natanael Copa (ncopa) - Friday, 04 March 2011, 12:11 GMT
We have not had any problems with this in Alpine Linux for long time. I assume its merged upstream.

Loading...