3317 – "net ads join" command produces errors in event viewer W2k3 SP1

Bug 3317 - "net ads join" command produces errors in event viewer W2k3 SP1

Summary: "net ads join" command produces errors in event viewer W2k3 SP1

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	net utility (show other bugs)
Version:	3.0.14a
Hardware:	x86 Linux

Importance:	P3 normal
Target Milestone:	none
Assignee:	Jim McDonough
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2005-12-12 08:12 UTC by Alex de Vaal
Modified:	2006-01-17 21:58 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex de Vaal 2005-12-12 08:12:31 UTC

"net ads join" command produces errors in event viewer on Windows server 2003 SP1:

While processing a TGS request for the target server host/dussel, 
the account DUSSEL$@NH-HOTELES.COM did not have a suitable key for 
generating a Kerberos ticket (the missing key has an ID of 8). 
The requested etypes were 18. The accounts available etypes were 23  -133  -128  3  1.
(and a few more)

net ads join -d10 gives following output:

[2005/11/18 12:44:52, 5] libads/kerberos.c:get_service_ticket(367)
  get_service_ticket: krb5_get_credentials for host/dussel@NH-HOTELES.COM enctype 18 failed: KDC has no support for encryption type
[2005/11/18 12:44:52, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552)
  verify_service_password: get_service_ticket failed: KDC has no support for encryption type
[2005/11/18 12:44:52, 5] libads/kerberos.c:get_service_ticket(367)
  get_service_ticket: krb5_get_credentials for host/dussel@NH-HOTELES.COM enctype 16 failed: KDC has no support for encryption type
[2005/11/18 12:44:52, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552)
  verify_service_password: get_service_ticket failed: KDC has no support for encryption type
[2005/11/18 12:44:53, 5] libads/kerberos.c:get_service_ticket(367)
  get_service_ticket: krb5_get_credentials for host/dussel@NH-HOTELES.COM enctype 2 failed: KDC has no support for encryption type
[2005/11/18 12:44:53, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552)
  verify_service_password: get_service_ticket failed: KDC has no support for encryption type
Joined 'DUSSEL' to realm 'NH-HOTELES.COM'
[2005/11/18 12:44:53, 2] utils/net.c:main(897)
  return code = 0

The join works; to me it seems to be cosmetic...

Reproduce; Always.

smb.conf:
[global]
	workgroup = NH-HOTELES
	realm = NH-HOTELES.COM
	server string = %h server (Samba %v)
	security = ADS
	password server = nhadm04.nh-hoteles.com, nhadm01.nh-hoteles.com
	log file = /var/log/samba/%m.log
	max log size = 200
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	printcap cache time = 660
	domain master = No
	ldap timeout = 15
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template homedir = /data/hom/%U
	template shell = /bin/bash
	winbind cache time = 660
	printer admin = root, "@NH-HOTELES.COM\Domain Admins", @NH-HOTELES.COM\DEP_ADMIN_BELGIUM
	oplocks = No
	level2 oplocks = No

Comment 1 Gerald (Jerry) Carter (dead mail address) 2005-12-20 06:54:56 UTC

Try settingthe following in /etc/krb5.conf:

  default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
  default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
  preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC

Comment 2 Gerald (Jerry) Carter (dead mail address) 2006-01-17 21:58:57 UTC

no response.  assuming this is fixed with the krb5.conf
updates