L.P.H. van Belle
2017-Jan-18 10:56 UTC
[Samba] AD attibutes of the (in this case) member servers differences.
Hai, Im setting up a new proxy with winbind en kerberos auth. So far everything ok but now im setting up my nfsv4 (with automount with systemd) for my user login on that server. For the new setup i compaired my old proxy with my new proxy. I noticed the old proxy is missing some attibutes in the AD object. For example, Samba member1 ( installed as 4.3.x ) upgraded to 4.5.3 here im missing : msDS-SupportedEncryptionTypes Samba member2 ( installed as 4.5.3 ) is haveing them. With the upgrades of samba, are these AD attibutes not all updated? Now i have seen : https://wiki.samba.org/index.php/Generating_Keytabs now after running : net ads enctypes set computername$ Its added on the server it was missing, i noticed this because i needed AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96 in my keytab of my new proxy. Is this normaly behaivor? And can someone explain why the default keytabs have : arcfour-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des-cbc-md5 des-cbc-crc and the exported with –pricipal only : arcfour-hmac des-cbc-md5 des-cbc-crc Thanks in advance and when im done i’ll post the howto for this. Best regards, Louis
Rowland Penny
2017-Jan-18 11:22 UTC
[Samba] AD attibutes of the (in this case) member servers differences.
On Wed, 18 Jan 2017 11:56:29 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > > > Im setting up a new proxy with winbind en kerberos auth. > > So far everything ok but now im setting up my nfsv4 (with automount > with systemd) for my user login on that server. > > > > For the new setup i compaired my old proxy with my new proxy. > > I noticed the old proxy is missing some attibutes in the AD object. > > > > For example, > > Samba member1 ( installed as 4.3.x ) upgraded to 4.5.3 here im > missing : msDS-SupportedEncryptionTypes > > Samba member2 ( installed as 4.5.3 ) is haveing them. > > With the upgrades of samba, are these AD attibutes not all updated? > Now i have seen : > > https://wiki.samba.org/index.php/Generating_Keytabs > > now after running : > > net ads enctypes set computername$> Its added on the server it was missing, i noticed this because i > needed AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96 in my keytab > of my new proxy. > > Is this normaly behaivor? > And can someone explain why the default keytabs have : > > arcfour-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > des-cbc-md5 des-cbc-crc > > and the exported with –pricipal only : > > arcfour-hmac des-cbc-md5 des-cbc-crc> Thanks in advance and when im done i’ll post the howto for this. >I think that 4.3.x didn't have the 'msDS-SupportedEncryptionTypes' attribute or it was set to '24', but when you upgrade Samba, 'sam.ldb' isn't touched. Rowland