[Samba] Strange problem with samba-tool dns query ...

Andrew Bartlett abartlet at samba.org
Mon Apr 8 04:01:51 UTC 2024 

This looks like 
https://gitlab.com/samba-team/samba/-/merge_requests/3139
Also note in particular 
https://gitlab.com/samba-team/samba/-/merge_requests/3139#note_1850101273
 if you have Samba not set up to be using the AES encryption types on
the DC (msDS-SupportedEncryptionTypes), and the fallback is to RC4_MD5,
Microsoft changed some things recently so that might break.
 Setting msDS-SupportedEncryptionTypes (rejoining the member server
might be the easiest way) would fix those issues.
Andrew Bartlett
On Fri, 2024-04-05 at 22:19 +0200, Pavel Lisý via samba wrote:
> Anyway, thanks a lot for your help.
> I've found few discusions about similar problems:
> https://docs.active-directory-wp.com/Technical_details/Fixing_issues_related_to_Kerberos/Unsupported_encryption_types_between_Samba_and_Active_Directory.html
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/FITCJOXX2QQ4HEXEK4PDJWFZJ2C33FAZ/
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index
> 
> Maybe I will report this problem to Fedora's bugzilla.
> Pavel
> pá 5. 4. 2024 v 21:46 odesílatel Rowland Penny via samba <
> samba at lists.samba.org> napsal:
> > On Fri, 05 Apr 2024 21:17:45 +0200pavel.lisy at gmail.com wrote:
> > > On Fri, 2024-04-05 at 19:13 +0100, Rowland Penny via samba wrote:
> > > > On Fri, 5 Apr 2024 19:58:33 +0200Pavel Lisý <
> > > > pavel.lisy at gmail.com> wrote:
> > > > > So,
> > > > > I've done some progress.
> > > > > I've made configuration according this article
> > > > > https://fedoramagazine.org/samba-as-ad-and-domain-controller/
> > > > > they use sample kerberos config file from package samba-dc-
> > > > > provision:
> > > > > sudo cp /usr/share/samba/setup/krb5.conf
> > > > > /etc/krb5.conf.d/samba-dc
> > > > > 
> > > > > [libdefaults]default_realm = ${REALM}dns_lookup_realm =
> > > > > falsedns_lookup_kdc = true
> > > > > [realms]${REALM} = {default_domain = ${DNSDOMAIN}}
> > > > > [domain_realm]${HOSTNAME} = ${REALM}
> > > > 
> > > > Well yes, that is the same as the one I suggested
> > > > > customized file /etc/krb5.conf.d/samba-dc is included in
> > > > > /etc/krb5.conf by this line
> > > > > includedir /etc/krb5.conf.d/
> > > > 
> > > > Known problem (that is supposed to be fixed)
> > > > 
> > https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#Connections_to_a_Samba_Domain_Member_Fail_After_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File
> > > > Just remove the 'includedir' line.
> > > I'm not sure
> > > my samba version is including files from that directory
> > > withoutproblems
> > > 
> > > When I've removed first two permitted_enctypes:
> > > aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
> > > to be:permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-
> > > hmac-sha1-96camellia256-cts-cmac camellia128-cts-cmac
> > > command works
> > > No matter if this is included in file/etc/krb5.conf.d/crypto-
> > > policies or in main file /etc/krb5.conf
> > > 
> > > So my conclusion is:these two enctypes are incompatible with
> > > samba-4.19.5 on Fedora 39
> > > aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
> > > 
> > > It is in file: /usr/share/crypto-policies/DEFAULT/krb5.txtfrom
> > > package crypto-policies-20231204-1.git1e3a2e4.fc39.noarch
> > 
> > OK, I do not use Samba on Fedora, their DC packages use MIT
> > kerberosand as such are classed as experimental. The krb5.conf I
> > posted was forHeimdal and just works.I thought about it and
> > remembered something, so checked the wiki, havea look at this:
> > 
> > https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
> > 
> > NOTE, the wiki is written from the point of view of a self
> > compiledSamba, so the paths will not quite match yours.
> > Rowland
> > 
> > --To unsubscribe from this list go to the following URL and read
> > theinstructions:  https://lists.samba.org/mailman/options/samba
> > 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd


Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list