"net ads join" command produces errors in event viewer on Windows server 2003 SP1: While processing a TGS request for the target server host/dussel, the account DUSSEL$@NH-HOTELES.COM did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1. (and a few more) net ads join -d10 gives following output: [2005/11/18 12:44:52, 5] libads/kerberos.c:get_service_ticket(367) get_service_ticket: krb5_get_credentials for host/dussel@NH-HOTELES.COM enctype 18 failed: KDC has no support for encryption type [2005/11/18 12:44:52, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2005/11/18 12:44:52, 5] libads/kerberos.c:get_service_ticket(367) get_service_ticket: krb5_get_credentials for host/dussel@NH-HOTELES.COM enctype 16 failed: KDC has no support for encryption type [2005/11/18 12:44:52, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2005/11/18 12:44:53, 5] libads/kerberos.c:get_service_ticket(367) get_service_ticket: krb5_get_credentials for host/dussel@NH-HOTELES.COM enctype 2 failed: KDC has no support for encryption type [2005/11/18 12:44:53, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552) verify_service_password: get_service_ticket failed: KDC has no support for encryption type Joined 'DUSSEL' to realm 'NH-HOTELES.COM' [2005/11/18 12:44:53, 2] utils/net.c:main(897) return code = 0 The join works; to me it seems to be cosmetic... Reproduce; Always. smb.conf: [global] workgroup = NH-HOTELES realm = NH-HOTELES.COM server string = %h server (Samba %v) security = ADS password server = nhadm04.nh-hoteles.com, nhadm01.nh-hoteles.com log file = /var/log/samba/%m.log max log size = 200 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap cache time = 660 domain master = No ldap timeout = 15 idmap uid = 10000-20000 idmap gid = 10000-20000 template homedir = /data/hom/%U template shell = /bin/bash winbind cache time = 660 printer admin = root, "@NH-HOTELES.COM\Domain Admins", @NH-HOTELES.COM\DEP_ADMIN_BELGIUM oplocks = No level2 oplocks = No
Try settingthe following in /etc/krb5.conf: default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
no response. assuming this is fixed with the krb5.conf updates