Cancelled support for DES in Heimdal Kerberos breaks Samba Winbind
When trying to run net ads join in Alpine 1.10, you get the following error:
2010/03/17 08:27:38, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type
Failed to join domain: failed to connect to AD: Program lacks support for encryption type
The versions are Heimdal Kerberos 1.3.1 and Samba 3.4.7.
After some investigation I found the following:
-
Heimdal removed support for DES encryption in 1.3.0
-
Samba makes its own krb5.conf at the following location: /var/cache/samba/smb_krb5/krb5.conf.DOMAIN
-
MIT kerberos has experienced similar problems when removing DES encryption: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977
* This was fixed upstream by MIT kerberos filtering weak encryption instead of rejecting it. Could this be done by Heimdal Kerberos as well?
It seems that the issue is:
- Samba turns on weak encryption by default in it’s krb5.conf.DOMAIN
- Heimdal Kerberos rejects this because it contains weak encryption types
Suggested solutions
- Heimdal Kerberos should filter it instead, as MIT Kerberos does in 1.8 alpha1
- Samba should remove deprecated weak encryption from it’s krb5.conf.DOMAIN
It is possible to turn on weak encryption in Heimdal kerberos by adding allow_weak_crypto=yes to krb5.conf, but this is not transferred to Samba’s krb5.conf.DOMAIN
Background info
/var/cache/samba/smb_krb5/krb5.conf.DOMAIN contains:
[libdefaults]
default_realm = DOMAIN.FQDN
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
[realms]
DOMAIN.FQDN = {
kdc = 10.0.0.11
kdc = 10.0.0.12
kdc = 10.0.0.12
}
Which is different from my /etc/kerberos/krb5.conf.
This file is generated by libads in samba 3, more specifically: source3/libads/kerberos.c function create_local_private_krb5_conf_for_domain which seems to take the kdc and REALM settings from somewhere, and is hardcoding the rest of the crypto information.
(from redmine: issue id 330, created on 2010-03-17, closed on 2010-03-18)