[Samba] Unable to join ADS domain

Andrew Bartlett abartlet at samba.org
Sat Feb 14 23:07:53 GMT 2004

On Thu, 2004-02-12 at 07:32, Joe Howell wrote:
> No bueno.  I changed the enctypes and took the "encrypt passwords=yes" out, but still no reply and no computer account.....
> TBrown at neurology.ahsc.arizona.edu wrote:
> [libdefaults]
> default_realm =MYDOMAIN.COM
> clockskew = 300
> default_tkt_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
> Change the enctypes to: des-cbc-crc as shown above. Also, if you do a
> testparam I'll bet that the encrypt passwords = yes entry is going to give
> you grief. Besides kerberos is encrypted anyway. Another thing to consider
> is flushing the NetBIOS cache on your wins and kdc server - don't know if
> this does anything, but it makes me feel better (nbtstat -R).

I'm sorry, but almost every piece of the above advise is incorrect.

encrypt passwords = yes is required for clients to contact us, as a
kerberised server.  When we contact AD (ie, in winbind) then we use
kerberos anyway.  (And at a protocol level, this is regarded as
encrypted passwords).

The enc types (for MIT 1.3.1) should be set to include
'arcfour-hmac-md5', as this is unsalted (removes name issues) and will
always allow the administrator to login, even if they have not changed
their password since AD was turned on.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040215/3760ec3f/attachment.bin

More information about the samba mailing list