[Samba] Strange problem with samba-tool dns query ...
Rowland Penny
rpenny at samba.org
Fri Apr 5 18:13:51 UTC 2024
On Fri, 5 Apr 2024 19:58:33 +0200
Pavel Lisý <pavel.lisy at gmail.com> wrote:
> So,
>
> I've done some progress.
>
> I've made configuration according this article
> https://fedoramagazine.org/samba-as-ad-and-domain-controller/
> they use sample kerberos config file from package samba-dc-provision:
>
> sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc
>
>
> [libdefaults]
> default_realm = ${REALM}
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> ${REALM} = {
> default_domain = ${DNSDOMAIN}
> }
>
> [domain_realm]
> ${HOSTNAME} = ${REALM}
Well yes, that is the same as the one I suggested
>
> customized file /etc/krb5.conf.d/samba-dc is included in
>
> /etc/krb5.conf by this line
>
> includedir /etc/krb5.conf.d/
Known problem (that is supposed to be fixed)
https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#Connections_to_a_Samba_Domain_Member_Fail_After_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File
Just remove the 'includedir' line.
>
> but it includes other file too from package
> crypto-policies-20231204-1.git1e3a2e4.fc39.noarch
>
> $ ls -l /etc/krb5.conf.d
> lrwxrwxrwx. 1 root root 42 17. led 01.00 crypto-policies ->
> /etc/crypto-policies/back-ends/krb5.config
>
> [libdefaults]
> permitted_enctypes = aes256-cts-hmac-sha384-192
> aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
>
> When I remove this file, command returns correct results
Oh you did, please do not put it back.
>
> I suppose permitted_enctypes are not compatible with this samba
> version, I'm not sure which one is missing. Any suggestions?
>
No, Samba doesn't understand the 'includedir' line.
Rowland
More information about the samba
mailing list