Light & Darkness | Kerberos & AD

Martin Hochreiter linuxbox at
Sat Jul 9 11:31:38 MDT 2011


Ill try to ask here - maybe someone can give me (us) a hint here:

We are in the middle of an user migration from samba 3.5.9 to windows 
2008r2 AD domain controllers.

We set the password via hash in 2 samba4 member servers of the new AD.
Our modifications are replicated to the 2 w2008r2 servers and the 
authentication works if we
use winxp or ntlm.v1 or ldap query.

no the "but" :

But we are struggling with windows 7. The authentication is possible 
only when set the password
of an account (in the dsa.msc) or if we use the recalculated synced 
password hash and set windows 7
to use only certain kerberos encryption types.

If a user logs on with the second scenario then the user is forced to 
set a new password via the client
(user expired) ... if you try then to set the password, you cant because 
windows claims (again) about
the not supported kerberos encryption type.

Is somebody in the list that has deeper knowledge about the kerberos 
issues with win2008?


More information about the samba-technical mailing list