[Samba] Strange problem with samba-tool dns query ...

Rowland Penny rpenny at samba.org
Fri Apr 5 19:45:43 UTC 2024 

On Fri, 05 Apr 2024 21:17:45 +0200
pavel.lisy at gmail.com wrote:

> On Fri, 2024-04-05 at 19:13 +0100, Rowland Penny via samba wrote:
> > On Fri, 5 Apr 2024 19:58:33 +0200
> > Pavel Lisý <pavel.lisy at gmail.com> wrote:
> > 
> > > So,
> > > 
> > > I've done some progress.
> > > 
> > > I've made configuration according this article
> > > https://fedoramagazine.org/samba-as-ad-and-domain-controller/
> > > they use sample kerberos config file from package samba-dc-
> > > provision:
> > > 
> > > sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc
> > > 
> > > 
> > > [libdefaults]
> > > default_realm = ${REALM}
> > > dns_lookup_realm = false
> > > dns_lookup_kdc = true
> > > 
> > > [realms]
> > > ${REALM} = {
> > > default_domain = ${DNSDOMAIN}
> > > }
> > > 
> > > [domain_realm]
> > > ${HOSTNAME} = ${REALM}
> > 
> > Well yes, that is the same as the one I suggested
> > > 
> > > customized file /etc/krb5.conf.d/samba-dc is included in
> > > 
> > > /etc/krb5.conf by this line
> > > 
> > > includedir /etc/krb5.conf.d/
> > 
> > Known problem (that is supposed to be fixed)
> > 
> > https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#Connections_to_a_Samba_Domain_Member_Fail_After_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File
> > 
> > Just remove the 'includedir' line.
> > > 
> I'm not sure
> 
> my samba version is including files from that directory without
> problems
> 
> 
> When I've removed first two permitted_enctypes:
> 
> aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
> 
> to be:
> permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> camellia256-cts-cmac camellia128-cts-cmac
> 
> command works
> 
> No matter if this is included in file
> /etc/krb5.conf.d/crypto-policies or in main file /etc/krb5.conf
> 
> 
> So my conclusion is:
> these two enctypes are incompatible with samba-4.19.5 on Fedora 39
> 
> aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
> 
> 
> It is in file: /usr/share/crypto-policies/DEFAULT/krb5.txt
> from package crypto-policies-20231204-1.git1e3a2e4.fc39.noarch
> 

OK, I do not use Samba on Fedora, their DC packages use MIT kerberos
and as such are classed as experimental. The krb5.conf I posted was for
Heimdal and just works.
I thought about it and remembered something, so checked the wiki, have
a look at this:

https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC

NOTE, the wiki is written from the point of view of a self compiled
Samba, so the paths will not quite match yours.

Rowland

More information about the samba mailing list