[Samba] Strange problem with samba-tool dns query ...
pavel.lisy at gmail.com
pavel.lisy at gmail.com
Fri Apr 5 19:17:45 UTC 2024
On Fri, 2024-04-05 at 19:13 +0100, Rowland Penny via samba wrote:
> On Fri, 5 Apr 2024 19:58:33 +0200
> Pavel Lisý <pavel.lisy at gmail.com> wrote:
>
> > So,
> >
> > I've done some progress.
> >
> > I've made configuration according this article
> > https://fedoramagazine.org/samba-as-ad-and-domain-controller/
> > they use sample kerberos config file from package samba-dc-
> > provision:
> >
> > sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc
> >
> >
> > [libdefaults]
> > default_realm = ${REALM}
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > [realms]
> > ${REALM} = {
> > default_domain = ${DNSDOMAIN}
> > }
> >
> > [domain_realm]
> > ${HOSTNAME} = ${REALM}
>
> Well yes, that is the same as the one I suggested
> >
> > customized file /etc/krb5.conf.d/samba-dc is included in
> >
> > /etc/krb5.conf by this line
> >
> > includedir /etc/krb5.conf.d/
>
> Known problem (that is supposed to be fixed)
>
> https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#Connections_to_a_Samba_Domain_Member_Fail_After_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File
>
> Just remove the 'includedir' line.
> >
I'm not sure
my samba version is including files from that directory without
problems
When I've removed first two permitted_enctypes:
aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
to be:
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
command works
No matter if this is included in file /etc/krb5.conf.d/crypto-policies or in main file /etc/krb5.conf
So my conclusion is:
these two enctypes are incompatible with samba-4.19.5 on Fedora 39
aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
It is in file: /usr/share/crypto-policies/DEFAULT/krb5.txt
from package crypto-policies-20231204-1.git1e3a2e4.fc39.noarch
Pavel
> > but it includes other file too from package
> > crypto-policies-20231204-1.git1e3a2e4.fc39.noarch
> >
> > $ ls -l /etc/krb5.conf.d
> > lrwxrwxrwx. 1 root root 42 17. led 01.00 crypto-policies ->
> > /etc/crypto-policies/back-ends/krb5.config
> >
> > [libdefaults]
> > permitted_enctypes = aes256-cts-hmac-sha384-192
> > aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96
> > aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
> >
> > When I remove this file, command returns correct results
>
> Oh you did, please do not put it back.
>
> >
> > I suppose permitted_enctypes are not compatible with this samba
> > version, I'm not sure which one is missing. Any suggestions?
> >
>
> No, Samba doesn't understand the 'includedir' line.
See above
> Rowland
>
More information about the samba
mailing list