Bug 139668 (IT_55976)

We are having the same problem (generic version of error)

[root@host root]# net join -U Username
Username's password: 
[2004/11/19 11:18:00, 0] utils/net_ads.c:ads_startup(183)
  ads_connect: Program lacks support for encryption type
Joined domain DOMAINNAME.

[root@host root]# net ads testjoin
[2004/11/19 11:18:54, 0] utils/net_ads.c:ads_startup(183)
  ads_connect: Program lacks support for encryption type
Join to domain is not valid

A compile of Samba 3.0.8 does not have this behavior.

Similar behavior on two AS 3.0 servers here.   Prior to the up2date 
run last Wed. (11/17/04), authentication and communication with the 
Active Directory network worked like a charm.

From /var/log/samba/winbindd.log:

[2004/11/23 09:39:17, 1] libsmb/clikrb5.c:cli_krb5_get_ticket(399)
  krb5_set_default_tgs_ktypes failed (Program lacks support for 
encryption type)
[2004/11/23 09:39:17, 1] 
libsmb/cliconnect.c:cli_session_setup_kerberos(544)
  spnego_gen_negTokenTarg failed: Program lacks support for 
encryption type

We have the same problem (using Samba 3.0.7 under RHEL AS 3.0). I
everytime get this message. For example:

[user@server user]$ kinit username
Password for username.EPFL.CH: 
[user@server user]$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: username.EPFL.CH

Valid starting     Expires            Service principal
11/25/04 08:46:30  11/25/04 18:46:30 
krbtgt/IC.INTRANET.EPFL.CH.EPFL.CH


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[user@server user]$ smbclient -k //WINSERVER/Share
krb5_set_default_tgs_ktypes failed (Program lacks support for
encryption type)
spnego_gen_negTokenTarg failed: Program lacks support for encryption type
session setup failed: NT_STATUS_OK

Be careful reverting to earlier versions as you may erase the winbind database, causing all 
the uid/sid mappings to be recreated perhaps differently.  rpm --force -Uvh ... (where ... 
are the 3.0.7-1.3E versions) worked better.

I also tried just reverting the samba-common package (as it contains winbindd) but this 
did not fix the problem.

I think this is a kerberos issue. I installed MIT kerberos 1.3.5 and
then did a kinit administrator@domain. After which net ads join
-Uadministrator worked fine and I was able to rejoin a Windows 2003
domain operating in native mode.

I think you need MIT kerberos 1.3.4 to work with Windows2003 in Native
mode. RHES3 is still using 1.2.7? 

Hope it helps

I think this is a kerberos issue. I installed MIT kerberos 1.3.5 and
then did a kinit administrator@domain. After which net ads join
-Uadministrator worked fine and I was able to rejoin a Windows 2003
domain operating in native mode.

I think you need MIT kerberos 1.3.4 to work with Windows2003 in Native
mode. RHES3 is still using 1.2.7? 

Hope it helps

When using those configurations in the libdefaults section of the
krb5.conf file:
default_etypes     = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
joining will work fine with krb5 1.2.7. The version of samba needs
however to be 3.0.9, 3.0.7 will not work.

Could someone give us an update or an estimate on when Red Hat plans
to fix this problem?  It's frustrating to have paid for Enterprise
Linux and not have this problem fixed, when the free version of Samba
works just fine.

RE: Comment 7

The original reporter and I were able to join a Windows Server 2003
active directory domain just fine using Samba version 3.0.7 (see
Comment 0 and Bug 129201, comment 4).  So the problem is not Samba
3.0.7.  The problem is the patches Red Hat applied between
samba-3.0.7-1.3E and samba-3.0.7-1.3E.1.

My experience mirrors comment #9.  I'm running a fully patched RHEL ES
v3.0 system.  

With the following samba/krb5 packages installed, I was unable to join
a Windows 2003 AD domain.

pam_krb5-1.73-1
samba-3.0.7-1.3E.1
samba-common-3.0.7-1.3E.1
samba-client-3.0.7-1.3E.1
krb5-workstation-1.2.7-28
krb5-libs-1.2.7-28

It kept complaining "ads_connect: Program lacks support for encryption
type" and failing. 

I downgraded all three samba packages to "3.0.7-1.3E", making no other
changes, and the "net ads join" proceeded without incident.  Something
introduced in the 3.0.7-1.3E.1 RPM must be the culprit.

I have to say I'm starting to get annoyed with the length of time it
is taking redhat to fix bugs in El3.  This in particular is a serious
problem and needs immediate attention.

I echo comment 8... when is this going to be fixed?  Let me know what
I tell my boss (who is complaining that ACLs are broken... hence me
stumbling across this bugzilla report) when I need to get
authorisation to buy new redhat licenses.  This has been in bugzilla
for almost a month.

Paul

Same problem with the latest updates

samba-client-3.0.9-1.3E.1
samba-common-3.0.9-1.3E.1
samba-3.0.9-1.3E.1


net ads join  ......

 utils/net_ads.c:ads_startup(186)
  ads_connect: Program lacks support for encryption type

I confirm, same problem with:

samba-3.0.9-1.3E.1
samba-common-3.0.9-1.3E.1
samba-client-3.0.9-1.3E.1

[root@server root]# net ads testjoin                             
[2004/12/17 12:52:41, 0] utils/net_ads.c:ads_startup(186)
  ads_connect: Program lacks support for encryption type
Join to domain is not valid

Note that this server is correctly joined to the domain (it was joined
before this problem appeared)...

Alessandro, did you change your krb5.conf as per comment 7?

Yes, I my [libdefaults] sections looks like this:

[libdefaults]
 ticket_lifetime = 600
 default_realm = IC.INTRANET.EPFL.CH
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_tkt_enctypes = des-cbc-md5 des-cbc-crc
 default_tgs_enctypes = des-cbc-md5 des-cbc-crc
 default_etypes     = des-cbc-crc des-cbc-md5
 default_etypes_des = des-cbc-crc des-cbc-md5

I tried to remove the two other default_ lines (default_tkt and
default_tgs) but nothing changes.

Perhaps someone from Red Hat could post a known working smb.conf and
krb5.conf?

I see many people have the same problem like me.
Could anybody fix this problem?

My problem is:

[root@rhes3-1 ~]# net ads join -l -U administrator
administrator's password:
[2004/12/20 08:25:35, 0] utils/net_ads.c:ads_startup(186)
  ads_connect: Program lacks support for encryption type

My package-list is:

samba-3.0.9-1.3E.1
samba-common-3.0.9-1.3E.1
samba-client-3.0.9-1.3E.1
krb5-workstation-1.2.7-28
krb5-devel-1.2.7-28
krb5-libs-1.2.7-28


I know, when you want to mount a SHARE from a Win2003 DC, then you 
must change some GPO's...
Is it possible that this problem has o do with this?

This seems to have finally been fixed with the latest round of
updates! You dont have to change any configuration files just make
sure you have the following package versions.

samba-common-3.0.9-1.3E.1
samba-3.0.9-1.3E.1
samba-client-3.0.9-1.3E.1
krb5-workstation-1.2.7-31
krb5-libs-1.2.7-31
krb5-devel-1.2.7-31

Yes, now it seems to be okay! It is probably the update of the krb5
library.

[root@server root]# net ads testjoin
Join is OK

I have the same package versions as in comment #18, and no config
files have been modified in the meantime.

Just to confirm that the krb library update has fixed the problem 
with the latest version of samba using up2date
samba-3.0.9-1.3E.1.i386.rpm
samba-client-3.0.9-1.3E.1.i386.rpm
samba-common-3.0.9-1.3E.1.i386.rpm

krb5-devel-1.2.7-31.i386.rpm
krb5-libs-1.2.7-31.i386.rpm
krb5-workstation-1.2.7-31.i386.rpm

It would be nice to have an explanation from redhat about what went 
wrong with this issue, so that we can be confident about using 
up2date in the future.

i have samba 3.0.10 and still face the same problem when i try to
issue the net user command or net join command etc. 

[root@daddupc DHCP]# net user
root's password:
[2005/01/02 21:37:33, 0] utils/net_ads.c:ads_startup(183)
  ads_connect: No such file or directory

i am unable to understand the problem at all.

About comment 21: did you try to strace the net command to see if
there's really a missing file?

my samba and krb4 versions are as follows

krb5-devel-1.2.7-38
krb5-libs-1.2.7-38
krb5-workstation-1.2.7-38

samba-3.0.7-1.3E
samba-common-3.0.7-1.3E
samba-client-3.0.7-1.3E

and /etc/krb5.conf contains only these modifications on libdefaults 
section. 
 default_tkt_enctypes = DES-CBC-MD5
 default_tgs_enctypes = DES-CBC-MD5

as a result joining is OK. But 6 days before joining was also OK 
without libdefaults modifications until i make a test running wbinfo -
u. And i get the same error 

[2005/02/23 21:41:01, 0] utils/net_ads.c:ads_startup(183)
  ads_connect: No credentials found with supported encryption types


Now i m confused i haven't changed or made any update in these 
period. I suspect computer account that i created was changed 
somehow. But i couldn.t find any changes in that account.

my samba and krb4 versions are as follows

krb5-devel-1.2.7-38
krb5-libs-1.2.7-38
krb5-workstation-1.2.7-38

samba-3.0.7-1.3E
samba-common-3.0.7-1.3E
samba-client-3.0.7-1.3E

and /etc/krb5.conf contains only these modifications on libdefaults 
section. 
 default_tkt_enctypes = DES-CBC-MD5
 default_tgs_enctypes = DES-CBC-MD5

as a result joining is OK. But 6 days before joining was also OK 
without libdefaults modifications until i make a test running wbinfo -
u. And i get the same error 

[2005/02/23 21:41:01, 0] utils/net_ads.c:ads_startup(183)
  ads_connect: No credentials found with supported encryption types


Now i m confused i haven't changed or made any update in these 
period. I suspect computer account that i created was changed 
somehow. But i couldn.t find any changes in that account.

This problem has been fixed in later updates, closing it, please reopen if still
relevant.