Samba-3.0.7-1.3E Active Directory Issues
Jeremy Allison
jra at samba.org
Wed Nov 3 01:03:12 GMT 2004
On Tue, Nov 02, 2004 at 02:23:30PM -0800, Doug VanLeuven wrote:
> Jeremy Allison wrote:
>
> >On Thu, Oct 28, 2004 at 03:32:11PM -0700, Jeremy Allison wrote:
> >
> >
> >>Ok - here is a "work in progress" snapshot of what I have done with
> >>your code. It doesn't compile (yet :-) but might give you a better
> >>idea how I'm going about things. I'm still working on my version of
> >>verify_service_password().
> >>
> >>
> >
> >Here is the version I'm going to put into test.
> >
> >More comments welcome !
> >
> >
> With svn 3417 and the patch submitted for bug 1717
> http://people.redhat.com/nalin/test/samba-3.0.8pre1-fqdn.patch
> I was able to join a subdomain and have "des only" work for shares and
> smbclient.
> Major thanks! :-)
>
> The patch has a side effect of requiring des-cbc-md5 to be permitted
> enctype.
> If I'm configured to use rc4-hmac as the only acceptable encttype in
> /etc/krb5.conf
> default_tgs_enctypes = rc4-hmac
> default_tkt_enctypes = rc4-hmac
> permitted_enctypes = rc4-hmac
>
> then with this patch, it will never authenticate. Can't even net ads join.
> so it has to be specified
> default_tgs_enctypes = rc4-hmac des-cbc-md5
> default_tkt_enctypes = rc4-hmac des-cbc-md5
> permitted_enctypes = rc4-hmac des-cbc-md5
>
> I captured a level 10 of the join failure if it would be of any help.
I'm still looking at the samba-3.0.8pre1-fqdn.patch for 3.0.8, but
with the current state of the kerberos code can you confirm everything
else is working for you ? I could do with as much testing of this code
as possible.
Thanks,
Jeremy.
More information about the samba-technical
mailing list