Bug 3317 - "net ads join" command produces errors in event viewer W2k3 SP1
"net ads join" command produces errors in event viewer W2k3 SP1
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: net utility
3.0.14a
x86 Linux
: P3 normal
: none
Assigned To: Jim McDonough
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-12-12 08:12 UTC by Alex de Vaal
Modified: 2006-01-17 21:58 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex de Vaal 2005-12-12 08:12:31 UTC
"net ads join" command produces errors in event viewer on Windows server 2003 SP1:

While processing a TGS request for the target server host/dussel, 
the account DUSSEL$@NH-HOTELES.COM did not have a suitable key for 
generating a Kerberos ticket (the missing key has an ID of 8). 
The requested etypes were 18. The accounts available etypes were 23  -133  -128  3  1.
(and a few more)

net ads join -d10 gives following output:

[2005/11/18 12:44:52, 5] libads/kerberos.c:get_service_ticket(367)
  get_service_ticket: krb5_get_credentials for host/dussel@NH-HOTELES.COM enctype 18 failed: KDC has no support for encryption type
[2005/11/18 12:44:52, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552)
  verify_service_password: get_service_ticket failed: KDC has no support for encryption type
[2005/11/18 12:44:52, 5] libads/kerberos.c:get_service_ticket(367)
  get_service_ticket: krb5_get_credentials for host/dussel@NH-HOTELES.COM enctype 16 failed: KDC has no support for encryption type
[2005/11/18 12:44:52, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552)
  verify_service_password: get_service_ticket failed: KDC has no support for encryption type
[2005/11/18 12:44:53, 5] libads/kerberos.c:get_service_ticket(367)
  get_service_ticket: krb5_get_credentials for host/dussel@NH-HOTELES.COM enctype 2 failed: KDC has no support for encryption type
[2005/11/18 12:44:53, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552)
  verify_service_password: get_service_ticket failed: KDC has no support for encryption type
Joined 'DUSSEL' to realm 'NH-HOTELES.COM'
[2005/11/18 12:44:53, 2] utils/net.c:main(897)
  return code = 0

The join works; to me it seems to be cosmetic...

Reproduce; Always.

smb.conf:
[global]
	workgroup = NH-HOTELES
	realm = NH-HOTELES.COM
	server string = %h server (Samba %v)
	security = ADS
	password server = nhadm04.nh-hoteles.com, nhadm01.nh-hoteles.com
	log file = /var/log/samba/%m.log
	max log size = 200
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	printcap cache time = 660
	domain master = No
	ldap timeout = 15
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template homedir = /data/hom/%U
	template shell = /bin/bash
	winbind cache time = 660
	printer admin = root, "@NH-HOTELES.COM\Domain Admins", @NH-HOTELES.COM\DEP_ADMIN_BELGIUM
	oplocks = No
	level2 oplocks = No
Comment 1 Gerald (Jerry) Carter 2005-12-20 06:54:56 UTC
Try settingthe following in /etc/krb5.conf:

  default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
  default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
  preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC


Comment 2 Gerald (Jerry) Carter 2006-01-17 21:58:57 UTC
no response.  assuming this is fixed with the krb5.conf
updates