Am 29.04.2019 um 19:21 schrieb Rowland Penny via samba:> On Mon, 29 Apr 2019 19:02:44 +0200
> Christian via samba <samba at lists.samba.org> wrote:
>
>>>>> Thats a strange one..
>>>>>
>>>>>> This is correct: 'dns-dc2' uses
"msDS-SupportedEncryptionTypes":
>>>>>> 31 (0x0000001f)
>>>>> Try this first.
>>>>> sudo samba-tool domain exportkeytab dns.keytab
>>>>> --principal=dns-dc2
>>>> Same result. Cheers,
>>>>
>>> what is the output of 'samba-tool domain level show'
>> root at dc1:~# samba-tool domain level show
>> Domain and forest function level for domain 'DC=.....'
>>
>> Forest function level: (Windows) 2003
>> Domain function level: (Windows) 2003
>> Lowest function level of a DC: (Windows) 2008 R2
>>
>> root at dc1:~#
>>
>> Thanks,
>>
>> Christian
>>
>>
> That explains it ;-)
>
> Try raising the functional level to 2008R2
>
> samba-tool domain level raise --forest-level=2008_R2 --domain-level=2008_R2
>
> Rowland
>
Still the same:
root at dc1:~# rm -f dns.keytab
root at dc1:~# samba-tool domain level show
Domain and forest function level for domain 'DC=.......'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2
root at dc1:~# samba-tool domain exportkeytab dns.keytab --principal=dns-dc1
Export one principal to dns.keytab
root at dc1:~# klist -ke dns.keytab
Keytab name: FILE:dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 dns-dc1 at XXX (arcfour-hmac)
1 dns-dc1 at XXX (des-cbc-md5)
1 dns-dc1 at XXX (des-cbc-crc)
I should mention that the AD is the result of a classicupgrade... Thanks,
Christian