I'm sorry about the delay in responding to this report. I overlooked it at the time it originally came in and then have been struggling to find time to go through bug reports since.
Back in January, you wrote: > I install winbind which pulled in libkrb53. After setting winbind up to > join an Active Directory domain, and trying to do so, the event logs on > the PDC were filled with errors containing the message: > > === > While processing a TGS request for the target > server foo/bar, the account [EMAIL PROTECTED] did not > have a suitable key for generating a Kerberos ticket (the missing key > has an ID of <somenumber>). The requested etypes were <anothernumber>. > The accounts available etypes were 23 -133 -128 3 1. > === > > I remembered having the same problem last summer, but did not remember > how exactly I fixed it. In the end I found > http://diswww.mit.edu:8008/menelaus.mit.edu/krb5-bugs/7083 and > http://diswww.mit.edu:8008/menelaus.mit.edu/krb5-bugs/7084 which put me on > the right track: libkrb53 was requesting the wrong etype. I remembered > fixing that by modifying the krb5 configuration file in the other case so > I copied it over to the new machine (which had no krb5.conf in place). > This fixed it. > > Apparently libkrb53 has bad compiled in defaults; these should be fixed. To provide some background, the etypes are the supported encryption types. They are negotiated between the KDC, the client, and the remote service, and for Kerberos authentication to be successful, the various parties to the authentication have to agree on enctypes for the pieces of the authentication that they each have to support. The bugs you mentioned were caused by someone explicitly configuring their system to request an enctype that Windows doesn't support. As soon as they changed their krb5.conf to not do this, things started working again. This problem isn't the same as that one since the enctype that they were requesting isn't one that the MIT Kerberos libraries request by default. Unfortunately, I really need the value of <anothernumber> from your quoted section above to understand what's going on, since that was apparently the enctype that winbind was requesting. Normally, the libraries should allow for any supported enctype, which is a list much longer than just one number. The mystery here is why winbind was only requesting one particular enctype and why it was one that your AD PDC didn't support. It would help to know what that enctype was. One interesting thing that I do notice is that winbind doesn't depend on any Kerberos configuration. I wonder if the problem would go away if you installed krb5-config on the system; if so, perhaps winbind should depend on that package, although I understand why they wouldn't for sites that aren't really using Kerberos and are only using NTLM. I'm not positive what list of enctypes the MIT Kerberos libraries default to if no krb5.conf file is present. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
