[Samba] kerberos @ samba4 DC
Andrew Bartlett
abartlet at samba.org
Fri Dec 3 16:09:21 MST 2010
On Wed, 2010-12-01 at 12:23 +0100, Rafa Toucedo wrote:
> Hello, when I try to put my SAMBA4 as DC from a domain controller in windows
> 2000
Firstly, I don't think that Samba4 currently operates with Windows 2000.
We are working to improve this, but expect problems.
> /usr/local/samba # bin/samba-tool join (WINDOWS 2000 DOMAIN). DC
> -U(USER)@(WINDOWS 2000 DOMAIN)%(PASSWORD) --realm=(WINDOWS 2000 DOMAIN). -d5
>
> throws me the following error:
>
> Failed to get CCACHE for GSSAPI client: KDC has no support for encryption
> type
> Aquiring initiator credentials failed: kinit for ADMCONST at DOMD4086 failed
> (KDC has no support for encryption type: KDC has no support for encryption
> type)
> Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_UNSUCCESSFUL
>
>
> My krb5.conf is as follows:
>
> [libdefaults]
> default_realm = (WINDOWS 2000 DOMAIN)
> dns_lookup_realm = true
> dns_lookup_kdc = true
> clockskew = 300
> default_keytab_name = FILE:/home/pilote/rafa.keytab
The biggest problem is that you need to remove this restriction on the
encryption types. The library defaults are correct - this restricts you
to an encryption type that is insecure, and disabled in Samba by
default:
> default_tkt_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
> [realms]
Remove this (the DNS option above is better)
> (WINDOWS 2000 DOMAIN) = {
> kdc = (HOSTNAME).(WINDOWS 2000 DOMAIN):88
> }
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20101204/ba3068d7/attachment.pgp>
More information about the samba
mailing list