[Samba] Chromebook AD integration fails on joining the domain

Mike Forsman mftechaccnt at gmail.com
Wed Dec 27 15:00:14 UTC 2017


Hi,

I am testing Google's recent ability to integrate Chromebooks into AD and
it's failing when I try to join the device to the domain. When I run
wireshark during the test I notice 2 TGS-REQs from the device that are
answered with KRB5KDC_ERR_ETYPE_NOSUPP. The Chromebook is only passing
AES256-cts-hmac-sha1-96 and AES128-cts-hmac-sha1-96 as enc types. I was
getting the same result from the device's AS-REQ, but got that to pass by
raising the domain level to 2008R2 and enabling AES in the user account
that I'm using to join the device to the domain.

Some pertinent info:

The domain is about 12 years old (started as a Samba 2 NT domain) and has
been updated several times.

Currently running 4.7

Samba was not built with MIT Kerberos.

So, the question - how do I get Samba to support AES for the TQS portion of
the exchange?

Thanks,
Mike


More information about the samba mailing list