Bug 139668 (IT_55976)
Summary: | samba update breaks winbind | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 3 | Reporter: | steve kilgallon <s.kilgallon> |
Component: | samba | Assignee: | Simo Sorce <ssorce> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.0 | CC: | alessandro.crespi, ee-cap-admin-dl, jbalderson, k.georgiou, laroche, mark.mckenna, matseitz, redhat-bugzilla, samba-bugs-list, tao |
Target Milestone: | --- | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | i586 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | samba-3.0.9-1.3E.1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-10-22 13:33:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 132991 |
Description
steve kilgallon
2004-11-17 11:00:18 UTC
We are having the same problem (generic version of error) [root@host root]# net join -U Username Username's password: [2004/11/19 11:18:00, 0] utils/net_ads.c:ads_startup(183) ads_connect: Program lacks support for encryption type Joined domain DOMAINNAME. [root@host root]# net ads testjoin [2004/11/19 11:18:54, 0] utils/net_ads.c:ads_startup(183) ads_connect: Program lacks support for encryption type Join to domain is not valid A compile of Samba 3.0.8 does not have this behavior. Similar behavior on two AS 3.0 servers here. Prior to the up2date run last Wed. (11/17/04), authentication and communication with the Active Directory network worked like a charm. From /var/log/samba/winbindd.log: [2004/11/23 09:39:17, 1] libsmb/clikrb5.c:cli_krb5_get_ticket(399) krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type) [2004/11/23 09:39:17, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(544) spnego_gen_negTokenTarg failed: Program lacks support for encryption type We have the same problem (using Samba 3.0.7 under RHEL AS 3.0). I everytime get this message. For example: [user@server user]$ kinit username Password for username.EPFL.CH: [user@server user]$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: username.EPFL.CH Valid starting Expires Service principal 11/25/04 08:46:30 11/25/04 18:46:30 krbtgt/IC.INTRANET.EPFL.CH.EPFL.CH Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [user@server user]$ smbclient -k //WINSERVER/Share krb5_set_default_tgs_ktypes failed (Program lacks support for encryption type) spnego_gen_negTokenTarg failed: Program lacks support for encryption type session setup failed: NT_STATUS_OK Be careful reverting to earlier versions as you may erase the winbind database, causing all the uid/sid mappings to be recreated perhaps differently. rpm --force -Uvh ... (where ... are the 3.0.7-1.3E versions) worked better. I also tried just reverting the samba-common package (as it contains winbindd) but this did not fix the problem. I think this is a kerberos issue. I installed MIT kerberos 1.3.5 and then did a kinit administrator@domain. After which net ads join -Uadministrator worked fine and I was able to rejoin a Windows 2003 domain operating in native mode. I think you need MIT kerberos 1.3.4 to work with Windows2003 in Native mode. RHES3 is still using 1.2.7? Hope it helps I think this is a kerberos issue. I installed MIT kerberos 1.3.5 and then did a kinit administrator@domain. After which net ads join -Uadministrator worked fine and I was able to rejoin a Windows 2003 domain operating in native mode. I think you need MIT kerberos 1.3.4 to work with Windows2003 in Native mode. RHES3 is still using 1.2.7? Hope it helps When using those configurations in the libdefaults section of the krb5.conf file: default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 joining will work fine with krb5 1.2.7. The version of samba needs however to be 3.0.9, 3.0.7 will not work. Could someone give us an update or an estimate on when Red Hat plans to fix this problem? It's frustrating to have paid for Enterprise Linux and not have this problem fixed, when the free version of Samba works just fine. RE: Comment 7 The original reporter and I were able to join a Windows Server 2003 active directory domain just fine using Samba version 3.0.7 (see Comment 0 and Bug 129201, comment 4). So the problem is not Samba 3.0.7. The problem is the patches Red Hat applied between samba-3.0.7-1.3E and samba-3.0.7-1.3E.1. My experience mirrors comment #9. I'm running a fully patched RHEL ES v3.0 system. With the following samba/krb5 packages installed, I was unable to join a Windows 2003 AD domain. pam_krb5-1.73-1 samba-3.0.7-1.3E.1 samba-common-3.0.7-1.3E.1 samba-client-3.0.7-1.3E.1 krb5-workstation-1.2.7-28 krb5-libs-1.2.7-28 It kept complaining "ads_connect: Program lacks support for encryption type" and failing. I downgraded all three samba packages to "3.0.7-1.3E", making no other changes, and the "net ads join" proceeded without incident. Something introduced in the 3.0.7-1.3E.1 RPM must be the culprit. I have to say I'm starting to get annoyed with the length of time it is taking redhat to fix bugs in El3. This in particular is a serious problem and needs immediate attention. I echo comment 8... when is this going to be fixed? Let me know what I tell my boss (who is complaining that ACLs are broken... hence me stumbling across this bugzilla report) when I need to get authorisation to buy new redhat licenses. This has been in bugzilla for almost a month. Paul Same problem with the latest updates samba-client-3.0.9-1.3E.1 samba-common-3.0.9-1.3E.1 samba-3.0.9-1.3E.1 net ads join ...... utils/net_ads.c:ads_startup(186) ads_connect: Program lacks support for encryption type I confirm, same problem with: samba-3.0.9-1.3E.1 samba-common-3.0.9-1.3E.1 samba-client-3.0.9-1.3E.1 [root@server root]# net ads testjoin [2004/12/17 12:52:41, 0] utils/net_ads.c:ads_startup(186) ads_connect: Program lacks support for encryption type Join to domain is not valid Note that this server is correctly joined to the domain (it was joined before this problem appeared)... Alessandro, did you change your krb5.conf as per comment 7? Yes, I my [libdefaults] sections looks like this: [libdefaults] ticket_lifetime = 600 default_realm = IC.INTRANET.EPFL.CH dns_lookup_realm = true dns_lookup_kdc = true default_tkt_enctypes = des-cbc-md5 des-cbc-crc default_tgs_enctypes = des-cbc-md5 des-cbc-crc default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 I tried to remove the two other default_ lines (default_tkt and default_tgs) but nothing changes. Perhaps someone from Red Hat could post a known working smb.conf and krb5.conf? I see many people have the same problem like me. Could anybody fix this problem? My problem is: [root@rhes3-1 ~]# net ads join -l -U administrator administrator's password: [2004/12/20 08:25:35, 0] utils/net_ads.c:ads_startup(186) ads_connect: Program lacks support for encryption type My package-list is: samba-3.0.9-1.3E.1 samba-common-3.0.9-1.3E.1 samba-client-3.0.9-1.3E.1 krb5-workstation-1.2.7-28 krb5-devel-1.2.7-28 krb5-libs-1.2.7-28 I know, when you want to mount a SHARE from a Win2003 DC, then you must change some GPO's... Is it possible that this problem has o do with this? This seems to have finally been fixed with the latest round of updates! You dont have to change any configuration files just make sure you have the following package versions. samba-common-3.0.9-1.3E.1 samba-3.0.9-1.3E.1 samba-client-3.0.9-1.3E.1 krb5-workstation-1.2.7-31 krb5-libs-1.2.7-31 krb5-devel-1.2.7-31 Yes, now it seems to be okay! It is probably the update of the krb5 library. [root@server root]# net ads testjoin Join is OK I have the same package versions as in comment #18, and no config files have been modified in the meantime. Just to confirm that the krb library update has fixed the problem with the latest version of samba using up2date samba-3.0.9-1.3E.1.i386.rpm samba-client-3.0.9-1.3E.1.i386.rpm samba-common-3.0.9-1.3E.1.i386.rpm krb5-devel-1.2.7-31.i386.rpm krb5-libs-1.2.7-31.i386.rpm krb5-workstation-1.2.7-31.i386.rpm It would be nice to have an explanation from redhat about what went wrong with this issue, so that we can be confident about using up2date in the future. i have samba 3.0.10 and still face the same problem when i try to issue the net user command or net join command etc. [root@daddupc DHCP]# net user root's password: [2005/01/02 21:37:33, 0] utils/net_ads.c:ads_startup(183) ads_connect: No such file or directory i am unable to understand the problem at all. About comment 21: did you try to strace the net command to see if there's really a missing file? my samba and krb4 versions are as follows krb5-devel-1.2.7-38 krb5-libs-1.2.7-38 krb5-workstation-1.2.7-38 samba-3.0.7-1.3E samba-common-3.0.7-1.3E samba-client-3.0.7-1.3E and /etc/krb5.conf contains only these modifications on libdefaults section. default_tkt_enctypes = DES-CBC-MD5 default_tgs_enctypes = DES-CBC-MD5 as a result joining is OK. But 6 days before joining was also OK without libdefaults modifications until i make a test running wbinfo - u. And i get the same error [2005/02/23 21:41:01, 0] utils/net_ads.c:ads_startup(183) ads_connect: No credentials found with supported encryption types Now i m confused i haven't changed or made any update in these period. I suspect computer account that i created was changed somehow. But i couldn.t find any changes in that account. my samba and krb4 versions are as follows krb5-devel-1.2.7-38 krb5-libs-1.2.7-38 krb5-workstation-1.2.7-38 samba-3.0.7-1.3E samba-common-3.0.7-1.3E samba-client-3.0.7-1.3E and /etc/krb5.conf contains only these modifications on libdefaults section. default_tkt_enctypes = DES-CBC-MD5 default_tgs_enctypes = DES-CBC-MD5 as a result joining is OK. But 6 days before joining was also OK without libdefaults modifications until i make a test running wbinfo - u. And i get the same error [2005/02/23 21:41:01, 0] utils/net_ads.c:ads_startup(183) ads_connect: No credentials found with supported encryption types Now i m confused i haven't changed or made any update in these period. I suspect computer account that i created was changed somehow. But i couldn.t find any changes in that account. This problem has been fixed in later updates, closing it, please reopen if still relevant. |