The errors are the results of MIT resolution to exclude DES/DES3 from the supported enctypes (security reasons).
The parameter "allow_weak_crypto = true" should be added in the default [libdefaults] section of /etc/krb5.conf.
Adding this parameter solved the errors of the original bug report but leads to a new one: likewise+krb5 cannot get the authenticated user groups correctly from the ADS when trying to browse samba shares using tickets.
It looks like a bug in krb5 when using "allow_weak_crypto = true" in the des/des3 "old school" support.
This support is _not_ like the previous des/des3 krb version support.
MIT isn't really in "verbose mode" about the code they modified to make this partial support ""good enough"".
The errors are the results of MIT resolution to exclude DES/DES3 from the supported enctypes (security reasons).
The parameter "allow_weak_crypto = true" should be added in the default [libdefaults] section of /etc/krb5.conf.
Adding this parameter solved the errors of the original bug report but leads to a new one: likewise+krb5 cannot get the authenticated user groups correctly from the ADS when trying to browse samba shares using tickets.
It looks like a bug in krb5 when using "allow_weak_crypto = true" in the des/des3 "old school" support.
This support is _not_ like the previous des/des3 krb version support.
MIT isn't really in "verbose mode" about the code they modified to make this partial support ""good enough"".