samba - Dec 2017 - Chromebook AD integration fails on joining the domain

Hi,

I am testing Google's recent ability to integrate Chromebooks into AD and
it's failing when I try to join the device to the domain. When I run
wireshark during the test I notice 2 TGS-REQs from the device that are
answered with KRB5KDC_ERR_ETYPE_NOSUPP. The Chromebook is only passing
AES256-cts-hmac-sha1-96 and AES128-cts-hmac-sha1-96 as enc types. I was
getting the same result from the device's AS-REQ, but got that to pass by
raising the domain level to 2008R2 and enabling AES in the user account
that I'm using to join the device to the domain.

Some pertinent info:

The domain is about 12 years old (started as a Samba 2 NT domain) and has
been updated several times.

Currently running 4.7

Samba was not built with MIT Kerberos.

So, the question - how do I get Samba to support AES for the TQS portion of
the exchange?

Thanks,
Mike

Hello Mike,

Can be you need to recreate the machine and tgt password on yout server 
so it adds the aes enc types for these after raising the functional 
domai level.

The required scripts can be found in tthe samba sources in 
/source4/scripting/devel/

Use chdcpass for the machine-account and chgkrbtgtpass for the tgt account.

I did this on an single addc server a while back and had no issues. 
Never tried it on an setup with multiple addc's. So i#d recommend you 
make an backup/snapshot before you try it.


Achim~

Am 27.12.2017 um 16:00 schrieb Mike Forsman via samba:
> Hi,
>
> I am testing Google's recent ability to integrate Chromebooks into AD
and
> it's failing when I try to join the device to the domain. When I run
> wireshark during the test I notice 2 TGS-REQs from the device that are
> answered with KRB5KDC_ERR_ETYPE_NOSUPP. The Chromebook is only passing
> AES256-cts-hmac-sha1-96 and AES128-cts-hmac-sha1-96 as enc types. I was
> getting the same result from the device's AS-REQ, but got that to pass
by
> raising the domain level to 2008R2 and enabling AES in the user account
> that I'm using to join the device to the domain.
>
> Some pertinent info:
>
> The domain is about 12 years old (started as a Samba 2 NT domain) and has
> been updated several times.
>
> Currently running 4.7
>
> Samba was not built with MIT Kerberos.
>
> So, the question - how do I get Samba to support AES for the TQS portion of
> the exchange?
>
> Thanks,
> Mike

I ran both scripts last night and was able to get the Chromebook to join
the domain this morning. Thanks, Achim!

For posterity's sake, I should mention that I changed the user's
password
when I enabled AES on their Account tab, in ADUC.

Thanks,
Mike


On Wed, Dec 27, 2017 at 9:52 AM, Achim Gottinger via samba <
samba at lists.samba.org> wrote:
> Hello Mike,
>
> Can be you need to recreate the machine and tgt password on yout server so
> it adds the aes enc types for these after raising the functional domai
> level.
>
> The required scripts can be found in tthe samba sources in
> /source4/scripting/devel/
>
> Use chdcpass for the machine-account and chgkrbtgtpass for the tgt account.
>
> I did this on an single addc server a while back and had no issues. Never
> tried it on an setup with multiple addc's. So i#d recommend you make an
> backup/snapshot before you try it.
>
>
> Achim~
>
>
> Am 27.12.2017 um 16:00 schrieb Mike Forsman via samba:
>
>> Hi,
>>
>> I am testing Google's recent ability to integrate Chromebooks into
AD and
>> it's failing when I try to join the device to the domain. When I
run
>> wireshark during the test I notice 2 TGS-REQs from the device that are
>> answered with KRB5KDC_ERR_ETYPE_NOSUPP. The Chromebook is only passing
>> AES256-cts-hmac-sha1-96 and AES128-cts-hmac-sha1-96 as enc types. I was
>> getting the same result from the device's AS-REQ, but got that to
pass by
>> raising the domain level to 2008R2 and enabling AES in the user account
>> that I'm using to join the device to the domain.
>>
>> Some pertinent info:
>>
>> The domain is about 12 years old (started as a Samba 2 NT domain) and
has
>> been updated several times.
>>
>> Currently running 4.7
>>
>> Samba was not built with MIT Kerberos.
>>
>> So, the question - how do I get Samba to support AES for the TQS
portion
>> of
>> the exchange?
>>
>> Thanks,
>> Mike
>>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>