[Samba] Tip: Joining a RHEL/CentOS 8 machine to a Samba AD domain
Robert Marcano
robert at marcanoonline.com
Wed Mar 11 14:30:14 UTC 2020
Sending this to the list in order to make it web searchable for anyone
doing this.
If you experience problems running a joined Samba client from
RHEL/CentOS 8, like unable to access shares or usable to login with AD
credentials, take into account that it is hardened by default to reject
deprecated security algorithms and protocols and an AD domain depends on
a few of those.
This hardening is supplied by the crypto-policies that is no more than a
few symlinks to default configurations files for many subsystems and a
tool to switch them.
One of the ways to switch to a compatible policy is to use the
update-crypto-policies command to switch to the LEGACY policy, but I
recommend against that because it will apply it to all subsystem. For
joining a Samba AD domain it is only needed to switch the system MIT
Kerberos to the LEGACY policy. That can be done with the commands:
rm /etc/krb5.conf.d/crypto-policies
Removes the default link used by crypto-policies package to update the
active policy.
ln -s /dev/null /etc/krb5.conf.d/crypto-policies
Links an empty file to that default policy. This helps when the
crypto-policies package is updated in order to avoid it to be
reinstalled. It happened to me after the 8.1 update.
ln -s /usr/share/crypto-policies/LEGACY/krb5.txt /etc/krb5.conf.d/legacy
Add the legacy configuration to the Kerberos configuration. This file
just enabled a few algorithms to the MIT Kerberos permitted_enctypes
configuration.
Reboot and your joined system should works fine now.
More information about the samba
mailing list