[opensuse-factory] TW: net ads join - secrets_domain_info_kerberos_keys: generation of a des-cbc-md5 key failed: Bad encryption type
Hi, I try to join a Tumbleweed to an AD, I get the following error: tw:~ # net ads join -U username Enter username's password: secrets_domain_info_kerberos_keys: generation of a des-cbc-md5 key failed: Bad encryption type secrets_store_JoinCtx: secrets_domain_info_password_create(pw) failed for UNI- WUERZBURG - NT_STATUS_UNSUCCESSFUL libnet_join_joindomain_store_secrets: secrets_store_JoinCtx() failed NT_STATUS_UNSUCCESSFUL Failed to join domain: This machine is not currently joined to a domain. The smb.conf works in Leap 15.1 and 15.2, so this must be something new. Google only showed me a fedora bug. It's about removes support dor DES from kerberos: https://bugzilla.redhat.com/show_bug.cgi?id=1757071 How to proceed? -- Mit freundlichen Gruessen, Andreas Vetter -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Mar 11, 2020 at 1:06 PM Andreas Vetter <vetter@physik.uni-wuerzburg.de> wrote:
Hi, I try to join a Tumbleweed to an AD, I get the following error:
tw:~ # net ads join -U username Enter username's password: secrets_domain_info_kerberos_keys: generation of a des-cbc-md5 key failed: Bad encryption type secrets_store_JoinCtx: secrets_domain_info_password_create(pw) failed for UNI- WUERZBURG - NT_STATUS_UNSUCCESSFUL libnet_join_joindomain_store_secrets: secrets_store_JoinCtx() failed NT_STATUS_UNSUCCESSFUL Failed to join domain: This machine is not currently joined to a domain.
The smb.conf works in Leap 15.1 and 15.2, so this must be something new. Google only showed me a fedora bug. It's about removes support dor DES from kerberos: https://bugzilla.redhat.com/show_bug.cgi?id=1757071
Beginning with the krb5-1.18 release, single-DES encryption types are no longer supported. https://web.mit.edu/kerberos/krb5-1.18/
How to proceed? --
Mit freundlichen Gruessen, Andreas Vetter
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday, March 11, 2020 11:18:22 AM CET Andrei Borzenkov wrote:
On Wed, Mar 11, 2020 at 1:06 PM Andreas Vetter
<vetter@physik.uni-wuerzburg.de> wrote:
Hi, I try to join a Tumbleweed to an AD, I get the following error:
tw:~ # net ads join -U username Enter username's password: secrets_domain_info_kerberos_keys: generation of a des-cbc-md5 key failed: Bad encryption type secrets_store_JoinCtx: secrets_domain_info_password_create(pw) failed for UNI- WUERZBURG - NT_STATUS_UNSUCCESSFUL libnet_join_joindomain_store_secrets: secrets_store_JoinCtx() failed NT_STATUS_UNSUCCESSFUL Failed to join domain: This machine is not currently joined to a domain.
The smb.conf works in Leap 15.1 and 15.2, so this must be something new. Google only showed me a fedora bug. It's about removes support dor DES from kerberos: https://bugzilla.redhat.com/show_bug.cgi?id=1757071
Beginning with the krb5-1.18 release, single-DES encryption types are no longer supported. https://web.mit.edu/kerberos/krb5-1.18/
Thank you Andrei.
How to proceed? So questions to Samba folks: Do I have to change my smb.conf? Do I have to wait for samba 4.12?
-- Mit freundlichen Gruessen, Andreas Vetter -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
11.03.2020 14:02, Andreas Vetter пишет:
On Wednesday, March 11, 2020 11:18:22 AM CET Andrei Borzenkov wrote:
On Wed, Mar 11, 2020 at 1:06 PM Andreas Vetter
<vetter@physik.uni-wuerzburg.de> wrote:
Hi, I try to join a Tumbleweed to an AD, I get the following error:
tw:~ # net ads join -U username Enter username's password: secrets_domain_info_kerberos_keys: generation of a des-cbc-md5 key failed: Bad encryption type secrets_store_JoinCtx: secrets_domain_info_password_create(pw) failed for UNI- WUERZBURG - NT_STATUS_UNSUCCESSFUL libnet_join_joindomain_store_secrets: secrets_store_JoinCtx() failed NT_STATUS_UNSUCCESSFUL Failed to join domain: This machine is not currently joined to a domain.
The smb.conf works in Leap 15.1 and 15.2, so this must be something new. Google only showed me a fedora bug. It's about removes support dor DES from kerberos: https://bugzilla.redhat.com/show_bug.cgi?id=1757071
Beginning with the krb5-1.18 release, single-DES encryption types are no longer supported. https://web.mit.edu/kerberos/krb5-1.18/
Thank you Andrei.
How to proceed? So questions to Samba folks: Do I have to change my smb.conf?
Does using "kerberos encryption types = strong" help? Although SAMBA should negotiate encryption and hopefully use strong encryption if DC supports it. So it sounds more like AD configuration question.
Do I have to wait for samba 4.12?
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday, March 11, 2020 6:37:43 PM CET Andrei Borzenkov wrote:
11.03.2020 14:02, Andreas Vetter пишет:
On Wednesday, March 11, 2020 11:18:22 AM CET Andrei Borzenkov wrote:
On Wed, Mar 11, 2020 at 1:06 PM Andreas Vetter
<vetter@physik.uni-wuerzburg.de> wrote:
Hi, I try to join a Tumbleweed to an AD, I get the following error:
tw:~ # net ads join -U username Enter username's password: secrets_domain_info_kerberos_keys: generation of a des-cbc-md5 key failed: Bad encryption type secrets_store_JoinCtx: secrets_domain_info_password_create(pw) failed for UNI- WUERZBURG - NT_STATUS_UNSUCCESSFUL libnet_join_joindomain_store_secrets: secrets_store_JoinCtx() failed NT_STATUS_UNSUCCESSFUL Failed to join domain: This machine is not currently joined to a domain.
The smb.conf works in Leap 15.1 and 15.2, so this must be something new. Google only showed me a fedora bug. It's about removes support dor DES from kerberos: https://bugzilla.redhat.com/show_bug.cgi?id=1757071
Beginning with the krb5-1.18 release, single-DES encryption types are no longer supported. https://web.mit.edu/kerberos/krb5-1.18/
Thank you Andrei.
How to proceed?
So questions to Samba folks: Do I have to change my smb.conf?
Does using "kerberos encryption types = strong" help?
No, I tried already. Does not change the error message.
Although SAMBA should negotiate encryption and hopefully use strong encryption if DC supports it. So it sounds more like AD configuration question.
So I have to talk to the AD admins. Any hints how the encryption parameters are called in AD-speech?
Do I have to wait for samba 4.12?
-- Mit freundlichen Gruessen, Andreas Vetter -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (2)
-
Andreas Vetter -
Andrei Borzenkov