samba - Jun 2023 - Failed to convert SID to a UID

On 6/12/23 2:55 AM, Rowland Penny via samba wrote:
> 
> 
> On 12/06/2023 07:04, Christian Naumer via samba wrote:
>> Am Samstag, dem 10.06.2023 um 20:57 +0100 schrieb Rowland Penny via 
>> samba:
>>>
>>>
>>> On 10/06/2023 20:37, Christian Naumer via samba wrote:
>>>> That might be the right direction. The standard kerb5.conf on 
>>>> rhel/rocky breaks samba. At
>>>> least for us. That is why we always replace it with a custom
one.
>>>
>>> It might be an idea if we could see your definition of the standard
>>> krb5.conf. I ask this because I have set up a Unix domain member on
both
>>> Rocky Linux 8 and 9 with my idea of the standard krb5.conf and they
both
>>> worked.
>>
>>
>> In Rocky 8 we have this as standard which we usually replace:
>>
>> # To opt out of the system crypto-policies configuration of krb5, 
>> remove the
>> # symlink at /etc/krb5.conf.d/crypto-policies which will not be 
>> recreated.
>> includedir /etc/krb5.conf.d/
>>
>> [logging]
>> ???? default = FILE:/var/log/krb5libs.log
>> ???? kdc = FILE:/var/log/krb5kdc.log
>> ???? admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> ???? dns_lookup_realm = false
>> ???? ticket_lifetime = 24h
>> ???? renew_lifetime = 7d
>> ???? forwardable = true
>> ???? rdns = false
>> ???? pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
>> ???? spake_preauth_groups = edwards25519
>> #??? default_realm = EXAMPLE.COM
>> ???? default_ccache_name = KEYRING:persistent:%{uid}
>>
>> [realms]
>> # EXAMPLE.COM = {
>> #???? kdc = kerberos.example.com
>> #???? admin_server = kerberos.example.com
>> # }
>>
>> [domain_realm]
>> # .example.com = EXAMPLE.COM
>> # example.com = EXAMPLE.COM
>>
>> I think it does not like the "crypto-policies" file in the
includedir.
>> But I am unsure. Maybe
>> this is different now but it used to be a Problem.
>>
>> Here is what we replace it with:
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = EXAMPLEREALM.COM
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = true
>> default_ccache_name = KEYRING:persistent:%{uid}
>>
>> Regards
>>
>> Christian
>>
>>
> 
> I used this /etc/krb5.conf on a machine called 'rocky9'
> 
> [libdefaults]
>  ? default_realm = SAMDOM.EXAMPLE.COM
>  ? dns_lookup_kdc = false
>  ? dns_lookup_realm = true
> 
> [realms]
>  ????SAMDOM.EXAMPLE.COM = {
>  ??????? default_domain = samdom.example.com
>  ????}
> 
> [domain_realm]
>  ????ROCKY9 = SAMDOM.EXAMPLE.COM
> 
> I also did this:
> 
> sudo rm /etc/krb5.conf.d/crypto-policies
> 
> I ended up with a fully working Unix domain member using the 'rid'
idmap
> backend.
> 
> Rowland
> 

There exist a way to setup crypto policies with support for old AD crypto.

RHEL 8 and derivative:
   update-crypto-policies --set DEFAULT:AD-SUPPORT

RHEL 9 and derivative
   update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY

From: https://access.redhat.com/solutions/7004158

On 12/06/2023 13:53, Robert Marcano via samba wrote:
> 
> There exist a way to setup crypto policies with support for old AD crypto.
> 
> RHEL 8 and derivative:
>  ? update-crypto-policies --set DEFAULT:AD-SUPPORT
> 
> RHEL 9 and derivative
>  ? update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY
I thought there may be a way to use the old crypto, but:
A) I was posting how I got it work, using the default Samba krb5.conf file.
B) Why would you want use old insecure crypto anyway ?
> 
> From: https://access.redhat.com/solutions/7004158
> 
Not much point in posting a link that is behind a login wall.

Rowland