[Samba] Strange problem with samba-tool dns query ...

Pavel Lisý pavel.lisy at gmail.com
Fri Apr 5 17:58:33 UTC 2024 

So,

I've done some progress.

I've made configuration according this article
https://fedoramagazine.org/samba-as-ad-and-domain-controller/
they use sample kerberos config file from package samba-dc-provision:

sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc


[libdefaults]
default_realm = ${REALM}
dns_lookup_realm = false
dns_lookup_kdc = true

[realms]
${REALM} = {
default_domain = ${DNSDOMAIN}
}

[domain_realm]
${HOSTNAME} = ${REALM}

customized file /etc/krb5.conf.d/samba-dc is included in

/etc/krb5.conf by this line

includedir /etc/krb5.conf.d/

but it includes other file too from package
crypto-policies-20231204-1.git1e3a2e4.fc39.noarch

$ ls -l /etc/krb5.conf.d
lrwxrwxrwx. 1 root root  42 17. led 01.00 crypto-policies ->
/etc/crypto-policies/back-ends/krb5.config

[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac
camellia128-cts-cmac

When I remove this file, command returns correct results

I suppose permitted_enctypes are not compatible with this samba version,
I'm not sure which one is missing. Any suggestions?

Pavel


pá 5. 4. 2024 v 17:29 odesílatel Rowland Penny via samba <
samba at lists.samba.org> napsal:

> On Fri, 05 Apr 2024 17:18:12 +0200
> pavel.lisy at gmail.com wrote:
>
> >
> > Now I've found some differences in /etc/krb5.conf
> > and it seams to be possible root cause.
> >
> > I will write summary after further testing.
> >
>
> Ah, yes, I should have remembered that you are running 'experimental'
> DCs on Fedora and they do strange things to the krb5.conf. All you need
> is this:
>
> [libdefaults]
>         default_realm = DNS.DOMAIN.IN.CAPITALS
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> [realms]
>         DNS.DOMAIN.IN.CAPITALS = {
>                 default_domain = dns.domain.in.lowercase
>         }
>
> [domain_realm]
>         SHORT_HOSTNAME_IN_CAPITALS = DNS.DOMAIN.IN.CAPITALS
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list