Arch Linux

maybe is something related to libldap, please try to downgrade to 2.4.19-1

After downgrading libldap wbinfo returns nothing.

Errors in log still remains.

More log entries:

==> /var/log/daemon.log <==
Dec 16 09:57:44 ph031 winbindd[12964]: [2009/12/16 09:57:44, 0] winbindd/winbindd_cache.c:2578(initialize_winbindd_cache)

==> /var/log/samba/winbindd.log <==
[2009/12/16 09:57:44, 0] winbindd/winbindd_cache.c:2578(initialize_winbindd_cache)

==> /var/log/daemon.log <==
Dec 16 09:57:44 ph031 winbindd[12964]: initialize_winbindd_cache: clearing cache and re-creating with version number 1

==> /var/log/daemon.log <==
Dec 16 09:57:44 ph031 winbindd[12966]: [2009/12/16 09:57:44, 0] libads/sasl.c:819(ads_sasl_spnego_bind)

==> /var/log/daemon.log <==
Dec 16 09:57:44 ph031 winbindd[12966]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type

==> /var/log/samba/winbindd.log <==
[2009/12/16 09:57:44, 1] winbindd/winbindd_util.c:303(trustdom_recv)
Could not receive trustdoms

Any suggestion?

Having the same problems after upgrading yesterday..

More log entries from log.wb-[DOMAIN NAME]

[2009/12/21 09:03:29, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket)
cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type)
[2009/12/21 09:03:29, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket)
cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type)
[2009/12/21 09:03:29, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type
[2009/12/21 09:03:29, 1] winbindd/winbindd_ads.c:127(ads_cached_connection)
ads_connect for domain [DOMAIN NAME] failed: Program lacks support for encryption type
[2009/12/21 09:03:34, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket)
cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type)
[2009/12/21 09:03:34, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket)
cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type)
[2009/12/21 09:03:34, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type
[2009/12/21 09:03:34, 1] winbindd/winbindd_ads.c:127(ads_cached_connection)
ads_connect for domain [DOMAIN NAME] failed: Program lacks support for encryption type
[2009/12/21 09:08:34, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket)
cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type)
[2009/12/21 09:08:34, 1] libsmb/clikrb5.c:848(cli_krb5_get_ticket)
cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type)
[2009/12/21 09:08:34, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type
[2009/12/21 09:08:34, 1] winbindd/winbindd_ads.c:127(ads_cached_connection)
ads_connect for domain [DOMAIN NAME] failed: Program lacks support for encryption type

I hope it helps.

I'm getting a similar error. Commands like `net ads info` work, but `net ads join -U admin` will give me an error like this:

[2009/12/23 11:18:46, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type
Failed to join domain: failed to connect to AD: Program lacks support for encryption type

Here is the relevant section of my smb.conf (output from testparm):

[global]
workgroup = (DELETED)
realm = (DELETED)
security = ADS
password server = (DELETED)
log level = 3
domain master = No
idmap uid = 5000-10000000
idmap gid = 5000-10000000
template shell = /bin/bash
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes

Oh, one more thing. I tried downgrading, and everything works for me using these package versions:

smbclient-3.4.3-2-x86_64
samba-3.4.3-2-x86_64
heimdal-1.2.1-7-x86_64

It might also work with samba-3.4.3-3, I didn't check.

assigned to wonder because it built samba for last, and to Allan too

Do you guys need anything else from me for debugging purposes? I'm running this all under a virtual machine, so it's not hard to mess with different configurations.

I can confirm seeing same errors in my logs. Currently unable to authenticate using domain user accounts. This installation was working previously - no changes to config files.

I confirm this error on i686 packages. After upgrading samba and smbclient to 3.4.4-1 error still remains. I think there's a problem in heimdal package.

Before upgrading packages in early December '09, for me too samba as a W2k3 AD member had worked fine for well over 8 months.

Today, for testing purposes, I ran kinit in two different scenarios: #1) with samba installed, #2) after removing the samba package and rebooting.

In both cases, the result was the same:

# kinit administrator@MY.DOMAIN.TLD
administrator@MY.DOMAIN.TLD's Password:
kinit: krb5_get_init_creds: KDC has no support for encryption type

I think this would confirm Alexander's assumption of not samba but heimdal 1.3.1-2 possibly having a problem.

A word of caution, just in case anyone wants to reproduce the above #2: Before rebooting, please make sure to comment out all references to pam_winbind.so in your /etc/pam.d/login, /etc/pam.d/su and /etc/pam.d/sudo files. Else, after rebooting you might no longer be able to log in or become root. Guess who that happened to? ;-)

EDIT: Sorry, it might have just been a wrongly configured /etc/krb5.conf on my machine... Now (still without samba) kinit can get tickets without any error messages. I don't have time this weekend but I am going to reinstall samba in a few days to further troubleshoot.

I was hopeful with the kernel & samba updates, but no luck here either. kinit works, joining domain still fails.

# uname -a
Linux localhost 2.6.32-ARCH #1 SMP PREEMPT Thu Jan 7 22:28:29 CET 2010 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 3600+ AuthenticAMD GNU/Linux
# kinit rob@SCHRACK.NET
rob@SCHRACK.NET's Password:
# net ads join -U rob
Enter rob's password:
[2010/01/16 11:17:43, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type
Failed to join domain: failed to connect to AD: Program lacks support for encryption type
# pacman -Q samba
samba 3.4.4-1
# pacman -Q heimdal
heimdal 1.3.1-2

I also get this problem at my Sidux-Linux-PC, if the command kinit administrator@DOMAIN_NAME.COM is send to the domain-controler from the linux bash.
I get this at my bash-console:
kinit: relocation error: /usr/lib/libdes425.so.3: symbol des_IP_table, version k5crypto_3_MIT not defined in file libk5crypto.so.3 with link time reference
The other Command net ads join produce the same error, which was descriped above.

My two cents, same problem for me it only works with heimdal 1.2.1 and samba 3.3.8.

I try to update samba to 3.4.4 with heimdal 1.2.1 but samba doesn't work, it looks for a missing lib (I think PKGBUILD need to be update to dependencies=('heimdal=>1.3-1') ). I try to rebuild samba 3.4.4 from PKGBUILD to link (I want to look if it's samba problem or heimdal) on heimdal 1.2.1 but compilation failed on

Compiling lib/netapi/samr.c
lib/netapi/samr.c: In function ‘libnetapi_samr_open_domain’:
lib/netapi/samr.c:47: error: expected expression before ‘struct’
lib/netapi/samr.c:47: warning: assignment makes pointer from integer without a cast
lib/netapi/samr.c: In function ‘libnetapi_samr_open_builtin_domain’:
lib/netapi/samr.c:169: error: expected expression before ‘struct’
lib/netapi/samr.c:169: warning: assignment makes pointer from integer without a cast
lib/netapi/samr.c: In function ‘libnetapi_samr_close_domain_handle’:
lib/netapi/samr.c:243: error: expected expression before ‘struct’
lib/netapi/samr.c:243: warning: assignment makes pointer from integer without a cast
lib/netapi/samr.c: In function ‘libnetapi_samr_close_builtin_handle’:
lib/netapi/samr.c:267: error: expected expression before ‘struct’
lib/netapi/samr.c:267: warning: assignment makes pointer from integer without a cast
lib/netapi/samr.c: In function ‘libnetapi_samr_close_connect_handle’:
lib/netapi/samr.c:291: error: expected expression before ‘struct’
lib/netapi/samr.c:291: warning: assignment makes pointer from integer without a cast
lib/netapi/samr.c: In function ‘libnetapi_samr_free’:
lib/netapi/samr.c:314: error: expected expression before ‘struct’
lib/netapi/samr.c:314: warning: assignment makes pointer from integer without a cast
The following command failed:
gcc -march=x86-64 -mtune=generic -O2 -pipe -I. -I/var/abs/extra/samba/src/samba-3.4.4/source3 -I/var/abs/extra/samba/src/samba-3.4.4/source3/iniparser/src -Iinclude -I./include -I. -I. -I./../lib/replace -I./../lib/tevent -I./../lib/tdb/include -I./libaddns -I./librpc -I./.. -DHAVE_CONFIG_H -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -Iinclude -I./include -I. -I. -I./../lib/replace -I./../lib/tevent -I./../lib/tdb/include -I./libaddns -I./librpc -I./.. -I./../lib/popt -DLDAP_DEPRECATED -I/var/abs/extra/samba/src/samba-3.4.4/source3/lib -I.. -I../source4 -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC -c lib/netapi/samr.c -o lib/netapi/samr.o
make: *** [lib/netapi/samr.o] Error 1

I make a new try with heimdal 1.3-1, kinit is now working for me :

# kinit administrateur@AD.LBN.FR
administrateur@AD.LBN.FR's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrateur@AD.LBN.FR

Issued Expires Principal
Jan 19 11:17:26 Jan 19 21:17:20 krbtgt/AD.LBN.FR@AD.LBN.FR

I try samba 3.4.4-1 with heimdal 1.3 samba complayne when start :
/usr/sbin/smbd: error while loading shared libraries: libhx509.so.4: cannot open shared object file: No such file or directory.

I try to fake samba with a symlink from /usr/lib/libhx509.so to /usr/lib/libhx509.so.4. After that samba start but when I try :

#wbinfo -u
Error looking up domain users

I can confirm this error as well. After doing a complete system upgrade I am unable to connect to the AD. The errors I get are identical to those described above and I haven`t found a workaround yet.

So... has anyone filed bug reports upstream? At least for samba.

I do not use samba. Reassign to me if it turns out that heimdal need fixed.

I had the same problem. Adding allow_weak_crypto = true to libdefaults section in krb5.conf solved it.
See http://www.h5l.org/blog/index.php/2008/10/des-will-die-in-heimdal/ and http://www.h5l.org/blog/index.php/2009/11/heimdal-1-3-0-and-1-3-1/

I can confirm that adding allow_weak_crypto = true returns me to a working state. Great find Holoduke. However I'm wondering if instead of allowing the deprecated DES encryption there is a way to switch to a supported encryption type.

I don't know enough about this topic, but as far as I know a proper solution would be to use Kerberos with AES. However Samba doesn't seem to support it yet. http://news.samba.org/ mentions beginning to implement AES support on 25 September 2009. Also, AES requires Windows Server 2008. Then Samba could authenticate itself as a domain member using a secure encryption type. But I have no idea if that also applies to clients authenticating to the Samba server. My guess is that DES will be required as long as there are pre-Vista clients around and the AD functional level is below Server 2008.

i bet 'net ads testjoin' fails even if net join works.

Same as mit krb has:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977

what happens is, samba creates a temp
/var/cache/samba/smb_krb5/krb5.conf.NETBIOSDOMAINNAME which includes the DES encryption types. since those are invalid heimdal says: sorry no workey, instead of using the RC4 one also listed in the same temp krb conf.

There is also someone here reporting same issue: http://lists.samba.org/archive/samba/2009-December/152444.html

I htink there are 2 different ways to actually solve this:
1. remove DES from the temp samba file
2. patch heimdal should filter weak enctypes instead of reject on weak enctype (thats what mit and debian did)

I can provide a patch for first option but I'm not sure about second.

i tried first option (patching samba) but didnt got it working.

I have sent a message upstream to heimdal-discuss:
http://thread.gmane.org/gmane.comp.encryption.kerberos.heimdal.general/5280

Well, the patch worked for you but didnt bother reporting here. Is it already merged? It should be..

We have not had any problems with this in Alpine Linux for long time. I assume its merged upstream.