[Samba] Chromebook AD integration fails on joining the domain

Achim Gottinger achim at ag-web.biz
Fri Dec 29 10:44:52 UTC 2017 


Am 28.12.2017 um 15:50 schrieb Mike Forsman via samba:
> I ran both scripts last night and was able to get the Chromebook to join
> the domain this morning. Thanks, Achim!
>
> For posterity's sake, I should mention that I changed the user's password
> when I enabled AES on their Account tab, in ADUC.
>
> Thanks,
> Mike
>
>
> On Wed, Dec 27, 2017 at 9:52 AM, Achim Gottinger via samba <
> samba at lists.samba.org> wrote:
>
>> Hello Mike,
>>
>> Can be you need to recreate the machine and tgt password on yout server so
>> it adds the aes enc types for these after raising the functional domai
>> level.
>>
>> The required scripts can be found in tthe samba sources in
>> /source4/scripting/devel/
>>
>> Use chdcpass for the machine-account and chgkrbtgtpass for the tgt account.
>>
>> I did this on an single addc server a while back and had no issues. Never
>> tried it on an setup with multiple addc's. So i#d recommend you make an
>> backup/snapshot before you try it.
>>
>>
>> Achim~
>>
>>
>> Am 27.12.2017 um 16:00 schrieb Mike Forsman via samba:
>>
>>> Hi,
>>>
>>> I am testing Google's recent ability to integrate Chromebooks into AD and
>>> it's failing when I try to join the device to the domain. When I run
>>> wireshark during the test I notice 2 TGS-REQs from the device that are
>>> answered with KRB5KDC_ERR_ETYPE_NOSUPP. The Chromebook is only passing
>>> AES256-cts-hmac-sha1-96 and AES128-cts-hmac-sha1-96 as enc types. I was
>>> getting the same result from the device's AS-REQ, but got that to pass by
>>> raising the domain level to 2008R2 and enabling AES in the user account
>>> that I'm using to join the device to the domain.
>>>
>>> Some pertinent info:
>>>
>>> The domain is about 12 years old (started as a Samba 2 NT domain) and has
>>> been updated several times.
>>>
>>> Currently running 4.7
>>>
>>> Samba was not built with MIT Kerberos.
>>>
>>> So, the question - how do I get Samba to support AES for the TQS portion
>>> of
>>> the exchange?
>>>
>>> Thanks,
>>> Mike
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
Thank you for reporting back. Glad it helped.

More information about the samba mailing list