[Samba] Strange problem with samba-tool dns query ...

Fri Apr 5 20:19:38 UTC 2024

Anyway, thanks a lot for your help.

I've found few discusions about similar problems:
https://docs.active-directory-wp.com/Technical_details/Fixing_issues_related_to_Kerberos/Unsupported_encryption_types_between_Samba_and_Active_Directory.html
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/FITCJOXX2QQ4HEXEK4PDJWFZJ2C33FAZ/
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index

Maybe I will report this problem to Fedora's bugzilla.

Pavel

pá 5. 4. 2024 v 21:46 odesílatel Rowland Penny via samba <
samba at lists.samba.org> napsal:

> On Fri, 05 Apr 2024 21:17:45 +0200
> pavel.lisy at gmail.com wrote:
>
> > On Fri, 2024-04-05 at 19:13 +0100, Rowland Penny via samba wrote:
> > > On Fri, 5 Apr 2024 19:58:33 +0200
> > > Pavel Lisý <pavel.lisy at gmail.com> wrote:
> > >
> > > > So,
> > > >
> > > > I've done some progress.
> > > >
> > > > I've made configuration according this article
> > > > https://fedoramagazine.org/samba-as-ad-and-domain-controller/
> > > > they use sample kerberos config file from package samba-dc-
> > > > provision:
> > > >
> > > > sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc
> > > >
> > > >
> > > > [libdefaults]
> > > > default_realm = ${REALM}
> > > > dns_lookup_realm = false
> > > > dns_lookup_kdc = true
> > > >
> > > > [realms]
> > > > ${REALM} = {
> > > > default_domain = ${DNSDOMAIN}
> > > > }
> > > >
> > > > [domain_realm]
> > > > ${HOSTNAME} = ${REALM}
> > >
> > > Well yes, that is the same as the one I suggested
> > > >
> > > > customized file /etc/krb5.conf.d/samba-dc is included in
> > > >
> > > > /etc/krb5.conf by this line
> > > >
> > > > includedir /etc/krb5.conf.d/
> > >
> > > Known problem (that is supposed to be fixed)
> > >
> > >
> https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#Connections_to_a_Samba_Domain_Member_Fail_After_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File
> > >
> > > Just remove the 'includedir' line.
> > > >
> > I'm not sure
> >
> > my samba version is including files from that directory without
> > problems
> >
> >
> > When I've removed first two permitted_enctypes:
> >
> > aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
> >
> > to be:
> > permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> > camellia256-cts-cmac camellia128-cts-cmac
> >
> > command works
> >
> > No matter if this is included in file
> > /etc/krb5.conf.d/crypto-policies or in main file /etc/krb5.conf
> >
> >
> > So my conclusion is:
> > these two enctypes are incompatible with samba-4.19.5 on Fedora 39
> >
> > aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
> >
> >
> > It is in file: /usr/share/crypto-policies/DEFAULT/krb5.txt
> > from package crypto-policies-20231204-1.git1e3a2e4.fc39.noarch
> >
>
> OK, I do not use Samba on Fedora, their DC packages use MIT kerberos
> and as such are classed as experimental. The krb5.conf I posted was for
> Heimdal and just works.
> I thought about it and remembered something, so checked the wiki, have
> a look at this:
>
>
> https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
>
> NOTE, the wiki is written from the point of view of a self compiled
> Samba, so the paths will not quite match yours.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>