Bug 139668 - (IT_55976) samba update breaks winbind
samba update breaks winbind
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: samba (Show other bugs)
3.0
i586 Linux
medium Severity medium
: ---
: ---
Assigned To: Simo Sorce
: Regression
Depends On:
Blocks: 132991
  Show dependency treegraph
 
Reported: 2004-11-17 06:00 EST by steve kilgallon
Modified: 2007-11-30 17:07 EST (History)
10 users (show)

See Also:
Fixed In Version: samba-3.0.9-1.3E.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-22 09:33:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description steve kilgallon 2004-11-17 06:00:18 EST
Description of problem:
I updated samba with the following rpms
samba-client-3.0.7-1.3E.1.i386.rpm
samba-common-3.0.7-1.3E.1.i386.rpm
samba-3.0.7-1.3E.1.i386.rpm
After this my winbind authentication to 2003 Active Directory
stoped working, I could not retrieve valid group or user information 
using wbinfo
When I tried to rejoin the domain using
net ads join   I got the following error
[2004/11/17 10:12:34, 0] utils/net_ads.c:ads_startup(183)
  ads_connect: Program lacks support for encryption type
I then reinstalled the previous versions of samba
samba-3.0.7-1.3E.i386.rpm
samba-client-3.0.7-1.3E.i386.rpm
samba-common-3.0.7-1.3E.i386.rpm
And everything worked fine



Version-Release number of selected component (if applicable):
samba-3.0.7-1.3E.1.i386.rpm

How reproducible:
I've done this on 2 machines

Steps to Reproduce:
1.Update samba
2.wbinfo -u
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Need Real Name 2004-11-19 12:16:15 EST
We are having the same problem (generic version of error)

[root@host root]# net join -U Username
Username's password: 
[2004/11/19 11:18:00, 0] utils/net_ads.c:ads_startup(183)
  ads_connect: Program lacks support for encryption type
Joined domain DOMAINNAME.

[root@host root]# net ads testjoin
[2004/11/19 11:18:54, 0] utils/net_ads.c:ads_startup(183)
  ads_connect: Program lacks support for encryption type
Join to domain is not valid

A compile of Samba 3.0.8 does not have this behavior.
Comment 2 Ben Higgins 2004-11-23 09:42:11 EST
Similar behavior on two AS 3.0 servers here.   Prior to the up2date 
run last Wed. (11/17/04), authentication and communication with the 
Active Directory network worked like a charm.

From /var/log/samba/winbindd.log:

[2004/11/23 09:39:17, 1] libsmb/clikrb5.c:cli_krb5_get_ticket(399)
  krb5_set_default_tgs_ktypes failed (Program lacks support for 
encryption type)
[2004/11/23 09:39:17, 1] 
libsmb/cliconnect.c:cli_session_setup_kerberos(544)
  spnego_gen_negTokenTarg failed: Program lacks support for 
encryption type
Comment 3 Alessandro Crespi 2004-11-25 02:45:06 EST
We have the same problem (using Samba 3.0.7 under RHEL AS 3.0). I
everytime get this message. For example:

[user@server user]$ kinit username
Password for username@IC.INTRANET.EPFL.CH: 
[user@server user]$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: username@IC.INTRANET.EPFL.CH

Valid starting     Expires            Service principal
11/25/04 08:46:30  11/25/04 18:46:30 
krbtgt/IC.INTRANET.EPFL.CH@IC.INTRANET.EPFL.CH


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[user@server user]$ smbclient -k //WINSERVER/Share
krb5_set_default_tgs_ktypes failed (Program lacks support for
encryption type)
spnego_gen_negTokenTarg failed: Program lacks support for encryption type
session setup failed: NT_STATUS_OK
Comment 4 Nicholas Riley 2004-12-01 02:16:08 EST
Be careful reverting to earlier versions as you may erase the winbind database, causing all 
the uid/sid mappings to be recreated perhaps differently.  rpm --force -Uvh ... (where ... 
are the 3.0.7-1.3E versions) worked better.

I also tried just reverting the samba-common package (as it contains winbindd) but this 
did not fix the problem.
Comment 5 Bob Bartels 2004-12-03 10:39:48 EST
I think this is a kerberos issue. I installed MIT kerberos 1.3.5 and
then did a kinit administrator@domain. After which net ads join
-Uadministrator worked fine and I was able to rejoin a Windows 2003
domain operating in native mode.

I think you need MIT kerberos 1.3.4 to work with Windows2003 in Native
mode. RHES3 is still using 1.2.7? 

Hope it helps

Comment 6 Bob Bartels 2004-12-03 12:12:45 EST
I think this is a kerberos issue. I installed MIT kerberos 1.3.5 and
then did a kinit administrator@domain. After which net ads join
-Uadministrator worked fine and I was able to rejoin a Windows 2003
domain operating in native mode.

I think you need MIT kerberos 1.3.4 to work with Windows2003 in Native
mode. RHES3 is still using 1.2.7? 

Hope it helps
Comment 7 Bastien Nocera 2004-12-06 10:52:57 EST
When using those configurations in the libdefaults section of the
krb5.conf file:
default_etypes     = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
joining will work fine with krb5 1.2.7. The version of samba needs
however to be 3.0.9, 3.0.7 will not work.
Comment 8 Matt Seitz 2004-12-07 14:16:53 EST
Could someone give us an update or an estimate on when Red Hat plans
to fix this problem?  It's frustrating to have paid for Enterprise
Linux and not have this problem fixed, when the free version of Samba
works just fine.
Comment 9 Matt Seitz 2004-12-08 17:21:33 EST
RE: Comment 7

The original reporter and I were able to join a Windows Server 2003
active directory domain just fine using Samba version 3.0.7 (see
Comment 0 and Bug 129201, comment 4).  So the problem is not Samba
3.0.7.  The problem is the patches Red Hat applied between
samba-3.0.7-1.3E and samba-3.0.7-1.3E.1.
Comment 10 Jeff Balderson 2004-12-13 13:11:10 EST
My experience mirrors comment #9.  I'm running a fully patched RHEL ES
v3.0 system.  

With the following samba/krb5 packages installed, I was unable to join
a Windows 2003 AD domain.

pam_krb5-1.73-1
samba-3.0.7-1.3E.1
samba-common-3.0.7-1.3E.1
samba-client-3.0.7-1.3E.1
krb5-workstation-1.2.7-28
krb5-libs-1.2.7-28

It kept complaining "ads_connect: Program lacks support for encryption
type" and failing. 

I downgraded all three samba packages to "3.0.7-1.3E", making no other
changes, and the "net ads join" proceeded without incident.  Something
introduced in the 3.0.7-1.3E.1 RPM must be the culprit.
Comment 11 EE CAP Admin 2004-12-13 19:19:23 EST
I have to say I'm starting to get annoyed with the length of time it
is taking redhat to fix bugs in El3.  This in particular is a serious
problem and needs immediate attention.

I echo comment 8... when is this going to be fixed?  Let me know what
I tell my boss (who is complaining that ACLs are broken... hence me
stumbling across this bugzilla report) when I need to get
authorisation to buy new redhat licenses.  This has been in bugzilla
for almost a month.

Paul
Comment 12 steve kilgallon 2004-12-17 03:54:01 EST
Same problem with the latest updates

samba-client-3.0.9-1.3E.1
samba-common-3.0.9-1.3E.1
samba-3.0.9-1.3E.1


net ads join  ......

 utils/net_ads.c:ads_startup(186)
  ads_connect: Program lacks support for encryption type
Comment 13 Alessandro Crespi 2004-12-17 06:54:30 EST
I confirm, same problem with:

samba-3.0.9-1.3E.1
samba-common-3.0.9-1.3E.1
samba-client-3.0.9-1.3E.1

[root@server root]# net ads testjoin                             
[2004/12/17 12:52:41, 0] utils/net_ads.c:ads_startup(186)
  ads_connect: Program lacks support for encryption type
Join to domain is not valid

Note that this server is correctly joined to the domain (it was joined
before this problem appeared)...
Comment 14 Bastien Nocera 2004-12-17 07:02:22 EST
Alessandro, did you change your krb5.conf as per comment 7?
Comment 15 Alessandro Crespi 2004-12-17 07:07:24 EST
Yes, I my [libdefaults] sections looks like this:

[libdefaults]
 ticket_lifetime = 600
 default_realm = IC.INTRANET.EPFL.CH
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_tkt_enctypes = des-cbc-md5 des-cbc-crc
 default_tgs_enctypes = des-cbc-md5 des-cbc-crc
 default_etypes     = des-cbc-crc des-cbc-md5
 default_etypes_des = des-cbc-crc des-cbc-md5

I tried to remove the two other default_ lines (default_tkt and
default_tgs) but nothing changes.
Comment 16 Matt Seitz 2004-12-17 21:20:26 EST
Perhaps someone from Red Hat could post a known working smb.conf and
krb5.conf?
Comment 17 Philipp Gantert 2004-12-20 02:46:55 EST
I see many people have the same problem like me.
Could anybody fix this problem?

My problem is:

[root@rhes3-1 ~]# net ads join -l -U administrator
administrator's password:
[2004/12/20 08:25:35, 0] utils/net_ads.c:ads_startup(186)
  ads_connect: Program lacks support for encryption type

My package-list is:

samba-3.0.9-1.3E.1
samba-common-3.0.9-1.3E.1
samba-client-3.0.9-1.3E.1
krb5-workstation-1.2.7-28
krb5-devel-1.2.7-28
krb5-libs-1.2.7-28


I know, when you want to mount a SHARE from a Win2003 DC, then you 
must change some GPO's...
Is it possible that this problem has o do with this?



Comment 18 Ciaran Carter 2004-12-22 08:49:21 EST
This seems to have finally been fixed with the latest round of
updates! You dont have to change any configuration files just make
sure you have the following package versions.

samba-common-3.0.9-1.3E.1
samba-3.0.9-1.3E.1
samba-client-3.0.9-1.3E.1
krb5-workstation-1.2.7-31
krb5-libs-1.2.7-31
krb5-devel-1.2.7-31
Comment 19 Alessandro Crespi 2004-12-22 09:14:20 EST
Yes, now it seems to be okay! It is probably the update of the krb5
library.

[root@server root]# net ads testjoin
Join is OK

I have the same package versions as in comment #18, and no config
files have been modified in the meantime.
Comment 20 steve kilgallon 2004-12-23 06:11:05 EST
Just to confirm that the krb library update has fixed the problem 
with the latest version of samba using up2date
samba-3.0.9-1.3E.1.i386.rpm
samba-client-3.0.9-1.3E.1.i386.rpm
samba-common-3.0.9-1.3E.1.i386.rpm

krb5-devel-1.2.7-31.i386.rpm
krb5-libs-1.2.7-31.i386.rpm
krb5-workstation-1.2.7-31.i386.rpm

It would be nice to have an explanation from redhat about what went 
wrong with this issue, so that we can be confident about using 
up2date in the future.


Comment 21 anubhav 2005-01-02 18:36:44 EST
i have samba 3.0.10 and still face the same problem when i try to
issue the net user command or net join command etc. 

[root@daddupc DHCP]# net user
root's password:
[2005/01/02 21:37:33, 0] utils/net_ads.c:ads_startup(183)
  ads_connect: No such file or directory

i am unable to understand the problem at all.
Comment 22 Alessandro Crespi 2005-01-02 18:55:06 EST
About comment 21: did you try to strace the net command to see if
there's really a missing file?
Comment 23 aydin sasmaz 2005-02-23 14:45:15 EST
my samba and krb4 versions are as follows

krb5-devel-1.2.7-38
krb5-libs-1.2.7-38
krb5-workstation-1.2.7-38

samba-3.0.7-1.3E
samba-common-3.0.7-1.3E
samba-client-3.0.7-1.3E

and /etc/krb5.conf contains only these modifications on libdefaults 
section. 
 default_tkt_enctypes = DES-CBC-MD5
 default_tgs_enctypes = DES-CBC-MD5

as a result joining is OK. But 6 days before joining was also OK 
without libdefaults modifications until i make a test running wbinfo -
u. And i get the same error 

[2005/02/23 21:41:01, 0] utils/net_ads.c:ads_startup(183)
  ads_connect: No credentials found with supported encryption types


Now i m confused i haven't changed or made any update in these 
period. I suspect computer account that i created was changed 
somehow. But i couldn.t find any changes in that account.
Comment 24 aydin sasmaz 2005-02-24 11:49:22 EST
my samba and krb4 versions are as follows

krb5-devel-1.2.7-38
krb5-libs-1.2.7-38
krb5-workstation-1.2.7-38

samba-3.0.7-1.3E
samba-common-3.0.7-1.3E
samba-client-3.0.7-1.3E

and /etc/krb5.conf contains only these modifications on libdefaults 
section. 
 default_tkt_enctypes = DES-CBC-MD5
 default_tgs_enctypes = DES-CBC-MD5

as a result joining is OK. But 6 days before joining was also OK 
without libdefaults modifications until i make a test running wbinfo -
u. And i get the same error 

[2005/02/23 21:41:01, 0] utils/net_ads.c:ads_startup(183)
  ads_connect: No credentials found with supported encryption types


Now i m confused i haven't changed or made any update in these 
period. I suspect computer account that i created was changed 
somehow. But i couldn.t find any changes in that account.
Comment 28 Simo Sorce 2007-10-22 09:33:50 EDT
This problem has been fixed in later updates, closing it, please reopen if still
relevant.

Note You need to log in before you can comment on or make changes to this bug.