1

I have intermittent authentication issues on my ubuntu 15.04 servers. Periodically, authentication will just stop working. Eventually it will start working again on its own. Or, if I restart both smbd and sssd it will start working again right away.

Around the same times as the auth problems, I see this error in /var/log/syslog:

[sssd[ldap_child[4199]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: KDC has no support for encryption type. Unable to create GSSAPI-encrypted LDAP connection.

My googling has pointed me towards adding "allow_weak_crypto = true" to the libdefaults section of /etc/krb5.conf. I've tried that but to no avail.

I have a bunch of CentOS 6 servers configured for AD authentication the same way (same smb and sssd config, etc.) and they all work fine without any issues.

Anyone have any other ideas?

mrwboilers
  • 83
  • 1
  • 2
  • 6

1 Answers1

0

The Server already told you the answer.

So you will need to identity 2 things:

1) Why encryption types does the client support?

1) Why encryption types does the KDC support?

Post your the clients krb5.conf and the server kdc.conf and tell use what OS the clients are.

FWIW have a glance here: https://help.ubuntu.com/community/Kerberos

jouell
  • 601
  • 1
  • 5
  • 20
  • I think I've figured out what's going on. We still have 1 old old domain controller (Windows AD domain.) All the ubuntu boxes seem to round-robin to each domain controller. All works fine except when they try to authenticate to the one old DC. We're working to get rid of the old DC. – mrwboilers Nov 04 '15 at 15:06
  • For the time being, I think editing /etc/krb5.conf on each box to define the domain and which DCs to us (omitting the problem DC) instead of letting it use DNS to find the DCs. Seems to work so far. Are there certain services that need to be restarted after editing that file? Or is a reboot necessary? – mrwboilers Nov 04 '15 at 15:09