[Samba] Chromebook AD integration fails on joining the domain
achim at ag-web.biz
Fri Dec 29 10:44:52 UTC 2017
Am 28.12.2017 um 15:50 schrieb Mike Forsman via samba:
> I ran both scripts last night and was able to get the Chromebook to join
> the domain this morning. Thanks, Achim!
> For posterity's sake, I should mention that I changed the user's password
> when I enabled AES on their Account tab, in ADUC.
> On Wed, Dec 27, 2017 at 9:52 AM, Achim Gottinger via samba <
> samba at lists.samba.org> wrote:
>> Hello Mike,
>> Can be you need to recreate the machine and tgt password on yout server so
>> it adds the aes enc types for these after raising the functional domai
>> The required scripts can be found in tthe samba sources in
>> Use chdcpass for the machine-account and chgkrbtgtpass for the tgt account.
>> I did this on an single addc server a while back and had no issues. Never
>> tried it on an setup with multiple addc's. So i#d recommend you make an
>> backup/snapshot before you try it.
>> Am 27.12.2017 um 16:00 schrieb Mike Forsman via samba:
>>> I am testing Google's recent ability to integrate Chromebooks into AD and
>>> it's failing when I try to join the device to the domain. When I run
>>> wireshark during the test I notice 2 TGS-REQs from the device that are
>>> answered with KRB5KDC_ERR_ETYPE_NOSUPP. The Chromebook is only passing
>>> AES256-cts-hmac-sha1-96 and AES128-cts-hmac-sha1-96 as enc types. I was
>>> getting the same result from the device's AS-REQ, but got that to pass by
>>> raising the domain level to 2008R2 and enabling AES in the user account
>>> that I'm using to join the device to the domain.
>>> Some pertinent info:
>>> The domain is about 12 years old (started as a Samba 2 NT domain) and has
>>> been updated several times.
>>> Currently running 4.7
>>> Samba was not built with MIT Kerberos.
>>> So, the question - how do I get Samba to support AES for the TQS portion
>>> the exchange?
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
Thank you for reporting back. Glad it helped.
More information about the samba