[Samba] Chromebook AD integration fails on joining the domain

Achim Gottinger achim at ag-web.biz
Wed Dec 27 15:52:06 UTC 2017

Hello Mike,

Can be you need to recreate the machine and tgt password on yout server 
so it adds the aes enc types for these after raising the functional 
domai level.

The required scripts can be found in tthe samba sources in 

Use chdcpass for the machine-account and chgkrbtgtpass for the tgt account.

I did this on an single addc server a while back and had no issues. 
Never tried it on an setup with multiple addc's. So i#d recommend you 
make an backup/snapshot before you try it.


Am 27.12.2017 um 16:00 schrieb Mike Forsman via samba:
> Hi,
> I am testing Google's recent ability to integrate Chromebooks into AD and
> it's failing when I try to join the device to the domain. When I run
> wireshark during the test I notice 2 TGS-REQs from the device that are
> answered with KRB5KDC_ERR_ETYPE_NOSUPP. The Chromebook is only passing
> AES256-cts-hmac-sha1-96 and AES128-cts-hmac-sha1-96 as enc types. I was
> getting the same result from the device's AS-REQ, but got that to pass by
> raising the domain level to 2008R2 and enabling AES in the user account
> that I'm using to join the device to the domain.
> Some pertinent info:
> The domain is about 12 years old (started as a Samba 2 NT domain) and has
> been updated several times.
> Currently running 4.7
> Samba was not built with MIT Kerberos.
> So, the question - how do I get Samba to support AES for the TQS portion of
> the exchange?
> Thanks,
> Mike

More information about the samba mailing list