[Samba] Tip: Joining a RHEL/CentOS 8 machine to a Samba AD domain

Robert Marcano robert at marcanoonline.com
Wed Mar 11 14:30:14 UTC 2020

Sending this to the list in order to make it web searchable for anyone 
doing this.

If you experience problems running a joined Samba client from 
RHEL/CentOS 8, like unable to access shares or usable to login with AD 
credentials, take into account that it is hardened by default to reject 
deprecated security algorithms and protocols and an AD domain depends on 
a few of those.

This hardening is supplied by the crypto-policies that is no more than a 
few symlinks to default configurations files for many subsystems and a 
tool to switch them.

One of the ways to switch to a compatible policy is to use the 
update-crypto-policies command to switch to the LEGACY policy, but I 
recommend against that because it will apply it to all subsystem. For 
joining a Samba AD domain it is only needed to switch the system MIT 
Kerberos to the LEGACY policy. That can be done with the commands:

  rm /etc/krb5.conf.d/crypto-policies

Removes the default link used by crypto-policies package to update the 
active policy.

  ln -s /dev/null /etc/krb5.conf.d/crypto-policies

Links an empty file to that default policy. This helps when the 
crypto-policies package is updated in order to avoid it to be 
reinstalled. It happened to me after the 8.1 update.

  ln -s /usr/share/crypto-policies/LEGACY/krb5.txt /etc/krb5.conf.d/legacy

Add the legacy configuration to the Kerberos configuration. This file 
just enabled a few algorithms to the MIT Kerberos permitted_enctypes 

Reboot and your joined system should works fine now.

More information about the samba mailing list