Bug 7901 - smbd restart now gave "KDC has no support for encryption type", after we upgrade PDC from Win2k3 to Win2k8
smbd restart now gave "KDC has no support for encryption type", after we upgr...
Product: Samba 3.5
Classification: Unclassified
Component: File services
x64 Solaris
: P3 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2011-01-04 15:07 UTC by Allen Zhao
Modified: 2011-07-22 19:19 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Allen Zhao 2011-01-04 15:07:14 UTC
We have been using samba 3.4/solaris10/x64 authenticated against Win2K3 R2 for more than a year. Ever since we upgrade all our AD server from Win2K3 R2 to Win2K8 R2, and then restart the samba daemon, the share access from Windows client starts to prompt for password, and all the krb5 setting are not working. Eventually, we find a temporary work around: configure a Win2K3 R2 server as AD replica server in our 2008 domain, and use the `net ads join` toward the Win2K3! Currently, I am not using the sunfreeware.org's 3.4.2 binary anymore, just compile it myself using the stable 3.5.6 source tree.

1) krb5.conf
-bash-3.00# cat /etc/krb5/krb5.conf
        default_realm = GTISOFT.COM
        default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
        default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc

        GTISOFT.COM = {
        kdc = gamma-master.gtisoft.com
        admin_server = gamma-master.gtisoft.com
        default_domain = gtisoft.com

        gtisoft.com = GTISOFT.COM
        .gtisoft.com = GTISOFT.COM

        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used# frequently.
        period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
        version = 10
        kinit = {
        renewable = true
        forwardable= true
        gkadmin = {
        help_url = http://docs.sun.com/app/docs/doc/816-4557/6maosrjk8?a=view

2) Global setting of smb.conf

-bash-3.00# cat /usr/local/samba/lib/smb.conf
# Samba config file created using SWAT
# from UNKNOWN (
# Date: 2011/01/04 11:37:36

        workgroup = GTISOFT
        realm = GTISOFT.COM
        server string = Gamma File Server
        security = ADS
        password server = wolfgang
        username map = /usr/local/samba/lib/smbusers
        kerberos method = system keytab
        wins server = wolfgang
        ldap ssl = no
        ldap debug level = 1
        create krb5 conf = No
        dos filemode = Yes

        comment = Home Directories
        valid users = %S
        read only = No
        create mask = 0644
        browseable = No

3) Using krb5.keytab created by `net ads join`

   * the `net ads join` to targeting the only W2K3 AD server, the samba will function ok

   * if the `net ads join` is targeting any of teh W2K8 AD server(s), the smbd restart will show in syslog:
[2011/01/04 11:37:12,  0] smbd/server.c:1119(main)
  smbd version 3.5.6 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2010
[2011/01/04 11:37:12.271311,  0] libads/kerberos.c:333(ads_kinit_password)
  kerberos_kinit_password BERNSTEIN$@GTISOFT.COM failed: KDC has no support forencryption type
[2011/01/04 11:37:12.271534,  0] printing/nt_printing.c:629(nt_printing_init)
  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED

and browsing from Windows client will show following error:

[2011/01/04 15:05:19.404262,  1] smbd/sesssetup.c:332(reply_spnego_kerberos)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

What is strange about this is: the kerberos setting is tested with kinit and klist ok.
Comment 1 Allen Zhao 2011-01-04 15:30:51 UTC
Some other related observations:

1) Sun's own sshd depends on /etc/krb5/krb5.keytab for Kerberos 5 auth on Solaris 10, and samba is using /etc/krb5.keytab (it will be updated whenever `net ads join` is run and reset the servicePrincipal's keys.

2) Everytime `net ads join` is used, the krb5 keys will be forced to change. This is different from the ktpass.exe behavior on Win2K8: ktpass.exe, when run multiple times, does not change keys. ktpass.exe will change keys only when and after `net ads join` is run. This seems to indicate some issues with keys compatibility issues (have more later on this).

3) Right after `net ads join` is executed, user ssh access will not work anymore (obvious because net changes key on the server side).

3) If I use ktpass.exe to create keys for HOST/fqdn@GTISOFT.COM, HOST/hostname@GTISOFT.COM and hostname$@GTISOFT.COM (basically mimicing key structures generated by `net ads join`) and then use ktutil to combine all the principal keys to a single krb5.keytab (only keep the DES-CBC-CRC/DES-CBC-MD5 keys), the ssh user access can be fixed, but the same krb5.keytab will fail the samba restart as reported earlier (KDC has no support for encryption type).

4) If I use `net ads join` to create /etc/krb5.keytab, surely it will break Sun's sshd auth, but smbd restart will have no error anymore, though the Windows client browse will still prompt for password (only if the `net ads join` is run targeting a Win2K8 server).

I know all these reports are confusing, but am I missing something here?
Comment 2 Andrew Bartlett 2011-01-10 20:11:45 UTC
The issue here is DES encryption in Kerberos.   This old and insecure encryption type is being phased out. 

Is the 'use DES key only' set on your machine account?  A bug causing this to be set when not required was fixed for 3.6.

Also, remove the default_tkt_enctypes line from your krb5.conf, as this is forcing you to use DES when Windows 2008 has banned it's use as insecure. 
Comment 3 Andrew Bartlett 2011-01-11 16:24:16 UTC
Reducing severity as you have a workaround and this appears to be either a client configuration issue, or an issue with the specific kerberos libraries on this system. 
Comment 4 Allen Zhao 2011-07-13 14:19:43 UTC
Some progress:

If I used 

-bash-3.00# cat /etc/krb5/krb5.conf
        default_realm = GTISOFT.COM
        default_tgs_enctypes = aes256-hmac-md5
        default_tkt_enctypes = aes256-hmac-md5

The krb5/smbd auth against Windows 2008R2 will be ok. As an alternative, following also works: 

        default_realm = GTISOFT.COM
        default_tgs_enctypes = arcfour-hmac-md5
        default_tkt_enctypes = arcfour-hmac-md5

Following are the key content as created by `net ads join`
-bash-3.00# klist -k -t -K /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
  15 07/13/11 07:05:43 host/bernstein.gtisoft.com@GTISOFT.COM (0x9dc4ce2c79917cc8)
  15 07/13/11 07:05:43 host/bernstein.gtisoft.com@GTISOFT.COM (0x9dc4ce2c79917cc8)
  15 07/13/11 07:05:43 host/bernstein.gtisoft.com@GTISOFT.COM (0x6f30d6e8c7ad797fa602178fb1eb7a38)
  15 07/13/11 07:05:43 host/BERNSTEIN@GTISOFT.COM (0x9dc4ce2c79917cc8)
  15 07/13/11 07:05:43 host/BERNSTEIN@GTISOFT.COM (0x9dc4ce2c79917cc8)
  15 07/13/11 07:05:43 host/BERNSTEIN@GTISOFT.COM (0x6f30d6e8c7ad797fa602178fb1eb7a38)
  15 07/13/11 07:05:43 BERNSTEIN$@GTISOFT.COM (0x9dc4ce2c79917cc8)
  15 07/13/11 07:05:43 BERNSTEIN$@GTISOFT.COM (0x9dc4ce2c79917cc8)
  15 07/13/11 07:05:43 BERNSTEIN$@GTISOFT.COM (0x6f30d6e8c7ad797fa602178fb1eb7a38)
Comment 5 Allen Zhao 2011-07-22 19:19:48 UTC
We finally resolve the issue:

The real issue is the HOST\copland account I have to create in AD's Users section. The account was added so that ktpass can be used to create the keytab. This works fine in Win2k3, but when we move to Win2k8, the reported issue started to bug me. 

Once I removed HOST\copland account from Users on domain controller, and then remove the /etc/krb5.keytab, and then use `net ads join` to create the copland in Computers section in AD, all problem is gone.