Bug 3547 - HOWTO/DOC: krb5.conf enctypes should contain arcfour-hmac-md5
HOWTO/DOC: krb5.conf enctypes should contain arcfour-hmac-md5
Product: Samba 4.0
Classification: Unclassified
Component: Other
Other All
: P3 normal
: ---
Assigned To: Andrew Bartlett
Andrew Bartlett
Depends on:
  Show dependency treegraph
Reported: 2006-02-23 17:01 UTC by B. de Bruin
Modified: 2008-09-12 05:12 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description B. de Bruin 2006-02-23 17:01:20 UTC
If krb5.conf does not contain arcfour-hmac-md5 in the list of enctypes domain joins (and probably other interactions) are not successful.

The symptom can be found in the log files when having a debug level 2:

GSS(krb5) Update failed:  Miscellaneous failure (see text): failed to find PDC$@REALM(kvno 1) in keytab /usr/local/samba/private/secrets.keytab (arcfour-hmac-md5)

It can be solved by adding arcfour-hmac-md5 to the list of enctypes or to revert to the defaults by commenting out these lists.

This should at the very least be mentioned in the current howto.txt.
Additionally it would be nice to know that samba4 actually relies on krb5.conf which is not mentioned either in the howto.txt
Comment 1 B. de Bruin 2006-03-08 13:14:59 UTC
forgot to mention that the keytab file needs to be re-generated if the list of enc-types changes
Comment 2 Andrew Bartlett 2007-07-17 00:15:54 UTC
We now use a fixed list of enc types in the secrets and server-side password store, so this shouldn't be an issue any more.

We still however read the krb5.conf for some things, and this should be better documented. 
Comment 3 Matthias Dieter Wallnöfer 2008-06-02 14:40:27 UTC
So, how far are we with this?
Comment 4 Andrew Bartlett 2008-06-02 17:44:46 UTC
An example krb5.conf is now generated by the provision.  It seems best not to specify encryption types at all, and let the libs use their sensible defaults. 
Comment 5 Matthias Dieter Wallnöfer 2008-06-03 01:08:36 UTC
Ok. So considered your comment this is now appropriately fixed, isn't it?
Comment 6 Matthias Dieter Wallnöfer 2008-08-14 11:26:04 UTC
Andrew, whats your opinion: Closing or leave this open?
Comment 7 Matthias Dieter Wallnöfer 2008-09-12 05:12:18 UTC
I'll close this for now. If you aren't satisfied with our work, please reopen!