[Samba] Strange problem with samba-tool dns query ...

Rowland Penny rpenny at samba.org
Fri Apr 5 18:13:51 UTC 2024


On Fri, 5 Apr 2024 19:58:33 +0200
Pavel Lisý <pavel.lisy at gmail.com> wrote:

> So,
> 
> I've done some progress.
> 
> I've made configuration according this article
> https://fedoramagazine.org/samba-as-ad-and-domain-controller/
> they use sample kerberos config file from package samba-dc-provision:
> 
> sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc
> 
> 
> [libdefaults]
> default_realm = ${REALM}
> dns_lookup_realm = false
> dns_lookup_kdc = true
> 
> [realms]
> ${REALM} = {
> default_domain = ${DNSDOMAIN}
> }
> 
> [domain_realm]
> ${HOSTNAME} = ${REALM}

Well yes, that is the same as the one I suggested
> 
> customized file /etc/krb5.conf.d/samba-dc is included in
> 
> /etc/krb5.conf by this line
> 
> includedir /etc/krb5.conf.d/

Known problem (that is supposed to be fixed)

https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#Connections_to_a_Samba_Domain_Member_Fail_After_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File

Just remove the 'includedir' line.

> 
> but it includes other file too from package
> crypto-policies-20231204-1.git1e3a2e4.fc39.noarch
> 
> $ ls -l /etc/krb5.conf.d
> lrwxrwxrwx. 1 root root  42 17. led 01.00 crypto-policies ->
> /etc/crypto-policies/back-ends/krb5.config
> 
> [libdefaults]
> permitted_enctypes = aes256-cts-hmac-sha384-192
> aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
> 
> When I remove this file, command returns correct results

Oh you did, please do not put it back.

> 
> I suppose permitted_enctypes are not compatible with this samba
> version, I'm not sure which one is missing. Any suggestions?
> 

No, Samba doesn't understand the 'includedir' line.

Rowland



More information about the samba mailing list