[Samba] Unable to join ADS domain
abartlet at samba.org
Sat Feb 14 23:07:53 GMT 2004
On Thu, 2004-02-12 at 07:32, Joe Howell wrote:
> No bueno. I changed the enctypes and took the "encrypt passwords=yes" out, but still no reply and no computer account.....
> TBrown at neurology.ahsc.arizona.edu wrote:
> default_realm =MYDOMAIN.COM
> clockskew = 300
> default_tkt_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
> Change the enctypes to: des-cbc-crc as shown above. Also, if you do a
> testparam I'll bet that the encrypt passwords = yes entry is going to give
> you grief. Besides kerberos is encrypted anyway. Another thing to consider
> is flushing the NetBIOS cache on your wins and kdc server - don't know if
> this does anything, but it makes me feel better (nbtstat -R).
I'm sorry, but almost every piece of the above advise is incorrect.
encrypt passwords = yes is required for clients to contact us, as a
kerberised server. When we contact AD (ie, in winbind) then we use
kerberos anyway. (And at a protocol level, this is regarded as
The enc types (for MIT 1.3.1) should be set to include
'arcfour-hmac-md5', as this is unsalted (removes name issues) and will
always allow the administrator to login, even if they have not changed
their password since AD was turned on.
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040215/3760ec3f/attachment.bin
More information about the samba