[Samba] Chromebook AD integration fails on joining the domain
mftechaccnt at gmail.com
Thu Dec 28 14:50:58 UTC 2017
I ran both scripts last night and was able to get the Chromebook to join
the domain this morning. Thanks, Achim!
For posterity's sake, I should mention that I changed the user's password
when I enabled AES on their Account tab, in ADUC.
On Wed, Dec 27, 2017 at 9:52 AM, Achim Gottinger via samba <
samba at lists.samba.org> wrote:
> Hello Mike,
> Can be you need to recreate the machine and tgt password on yout server so
> it adds the aes enc types for these after raising the functional domai
> The required scripts can be found in tthe samba sources in
> Use chdcpass for the machine-account and chgkrbtgtpass for the tgt account.
> I did this on an single addc server a while back and had no issues. Never
> tried it on an setup with multiple addc's. So i#d recommend you make an
> backup/snapshot before you try it.
> Am 27.12.2017 um 16:00 schrieb Mike Forsman via samba:
>> I am testing Google's recent ability to integrate Chromebooks into AD and
>> it's failing when I try to join the device to the domain. When I run
>> wireshark during the test I notice 2 TGS-REQs from the device that are
>> answered with KRB5KDC_ERR_ETYPE_NOSUPP. The Chromebook is only passing
>> AES256-cts-hmac-sha1-96 and AES128-cts-hmac-sha1-96 as enc types. I was
>> getting the same result from the device's AS-REQ, but got that to pass by
>> raising the domain level to 2008R2 and enabling AES in the user account
>> that I'm using to join the device to the domain.
>> Some pertinent info:
>> The domain is about 12 years old (started as a Samba 2 NT domain) and has
>> been updated several times.
>> Currently running 4.7
>> Samba was not built with MIT Kerberos.
>> So, the question - how do I get Samba to support AES for the TQS portion
>> the exchange?
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba