Mailinglist Archive: opensuse-factory (355 mails)

< Previous Next >
Re: [opensuse-factory] TW: net ads join - secrets_domain_info_kerberos_keys: generation of a des-cbc-md5 key failed: Bad encryption type
  • From: Andreas Vetter <vetter@xxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 12 Mar 2020 10:02:28 +0100
  • Message-id: <12187517.6Z8uWmv1HG@wpyc055>
On Wednesday, March 11, 2020 6:37:43 PM CET Andrei Borzenkov wrote:
11.03.2020 14:02, Andreas Vetter пишет:
On Wednesday, March 11, 2020 11:18:22 AM CET Andrei Borzenkov wrote:
On Wed, Mar 11, 2020 at 1:06 PM Andreas Vetter

<vetter@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi,
I try to join a Tumbleweed to an AD, I get the following error:

tw:~ # net ads join -U username
Enter username's password:
secrets_domain_info_kerberos_keys: generation of a des-cbc-md5 key
failed:
Bad encryption type
secrets_store_JoinCtx: secrets_domain_info_password_create(pw) failed
for
UNI- WUERZBURG - NT_STATUS_UNSUCCESSFUL
libnet_join_joindomain_store_secrets: secrets_store_JoinCtx() failed
NT_STATUS_UNSUCCESSFUL
Failed to join domain: This machine is not currently joined to a domain.

The smb.conf works in Leap 15.1 and 15.2, so this must be something new.
Google only showed me a fedora bug. It's about removes support dor DES
from
kerberos:
https://bugzilla.redhat.com/show_bug.cgi?id=1757071

Beginning with the krb5-1.18 release, single-DES encryption types are
no longer supported.
https://web.mit.edu/kerberos/krb5-1.18/

Thank you Andrei.

How to proceed?

So questions to Samba folks:
Do I have to change my smb.conf?

Does using "kerberos encryption types = strong" help?

No, I tried already. Does not change the error message.

Although SAMBA should negotiate encryption and hopefully use strong
encryption if DC supports it. So it sounds more like AD configuration
question.

So I have to talk to the AD admins. Any hints how the encryption parameters
are called in AD-speech?

Do I have to wait for samba 4.12?


--

Mit freundlichen Gruessen,
Andreas Vetter



--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >