[Samba] Unable to join ADS domain
Andrew Bartlett
abartlet at samba.org
Sat Feb 14 23:07:53 GMT 2004
On Thu, 2004-02-12 at 07:32, Joe Howell wrote:
> No bueno. I changed the enctypes and took the "encrypt passwords=yes" out, but still no reply and no computer account.....
>
>
> TBrown at neurology.ahsc.arizona.edu wrote:
>
>
>
>
> [libdefaults]
> default_realm =MYDOMAIN.COM
> clockskew = 300
> default_tkt_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
>
>
> Change the enctypes to: des-cbc-crc as shown above. Also, if you do a
> testparam I'll bet that the encrypt passwords = yes entry is going to give
> you grief. Besides kerberos is encrypted anyway. Another thing to consider
> is flushing the NetBIOS cache on your wins and kdc server - don't know if
> this does anything, but it makes me feel better (nbtstat -R).
I'm sorry, but almost every piece of the above advise is incorrect.
encrypt passwords = yes is required for clients to contact us, as a
kerberised server. When we contact AD (ie, in winbind) then we use
kerberos anyway. (And at a protocol level, this is regarded as
encrypted passwords).
The enc types (for MIT 1.3.1) should be set to include
'arcfour-hmac-md5', as this is unsalted (removes name issues) and will
always allow the administrator to login, even if they have not changed
their password since AD was turned on.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040215/3760ec3f/attachment.bin
More information about the samba
mailing list