Am 29.04.2019 um 19:21 schrieb Rowland Penny via samba:> On Mon, 29 Apr 2019 19:02:44 +0200 > Christian via samba <samba at lists.samba.org> wrote: > >>>>> Thats a strange one.. >>>>> >>>>>> This is correct: 'dns-dc2' uses "msDS-SupportedEncryptionTypes": >>>>>> 31 (0x0000001f) >>>>> Try this first. >>>>> sudo samba-tool domain exportkeytab dns.keytab >>>>> --principal=dns-dc2 >>>> Same result. Cheers, >>>> >>> what is the output of 'samba-tool domain level show' >> root at dc1:~# samba-tool domain level show >> Domain and forest function level for domain 'DC=.....' >> >> Forest function level: (Windows) 2003 >> Domain function level: (Windows) 2003 >> Lowest function level of a DC: (Windows) 2008 R2 >> >> root at dc1:~# >> >> Thanks, >> >> Christian >> >> > That explains it ;-) > > Try raising the functional level to 2008R2 > > samba-tool domain level raise --forest-level=2008_R2 --domain-level=2008_R2 > > Rowland >Still the same: root at dc1:~# rm -f dns.keytab root at dc1:~# samba-tool domain level show Domain and forest function level for domain 'DC=.......' Forest function level: (Windows) 2008 R2 Domain function level: (Windows) 2008 R2 Lowest function level of a DC: (Windows) 2008 R2 root at dc1:~# samba-tool domain exportkeytab dns.keytab --principal=dns-dc1 Export one principal to dns.keytab root at dc1:~# klist -ke dns.keytab Keytab name: FILE:dns.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 dns-dc1 at XXX (arcfour-hmac) 1 dns-dc1 at XXX (des-cbc-md5) 1 dns-dc1 at XXX (des-cbc-crc) I should mention that the AD is the result of a classicupgrade... Thanks, Christian
On Mon, 29 Apr 2019 19:31:55 +0200 Christian via samba <samba at lists.samba.org> wrote:> >> root at dc1:~# samba-tool domain level show > >> Domain and forest function level for domain 'DC=.....' > >> > >> Forest function level: (Windows) 2003 > >> Domain function level: (Windows) 2003 > >> Lowest function level of a DC: (Windows) 2008 R2 > >> > > That explains it ;-) > > > > Try raising the functional level to 2008R2 > > > > samba-tool domain level raise --forest-level=2008_R2 > > --domain-level=2008_R2 > > > > Rowland > > > Still the same: > > root at dc1:~# rm -f dns.keytab > root at dc1:~# samba-tool domain level show > Domain and forest function level for domain 'DC=.......' > > Forest function level: (Windows) 2008 R2 > Domain function level: (Windows) 2008 R2 > Lowest function level of a DC: (Windows) 2008 R2 > root at dc1:~# samba-tool domain exportkeytab dns.keytab > --principal=dns-dc1 Export one principal to dns.keytab > root at dc1:~# klist -ke dns.keytab > Keytab name: FILE:dns.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 dns-dc1 at XXX (arcfour-hmac) > 1 dns-dc1 at XXX (des-cbc-md5) > 1 dns-dc1 at XXX (des-cbc-crc) > > > I should mention that the AD is the result of a classicupgrade... > Thanks,That shouldn't make any difference, the 2003 level only used the three enctypes you have now, this is on one of my DC's: root at dc4:~# samba-tool domain level show Domain and forest function level for domain 'DC=samdom,DC=example,DC=com' Forest function level: (Windows) 2008 R2 Domain function level: (Windows) 2008 R2 Lowest function level of a DC: (Windows) 2008 R2 root at dc4:~# klist -ke /root/dns.keytab Keytab name: FILE:/root/dns.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 dns-dc4 at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) 1 dns-dc4 at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) 1 dns-dc4 at SAMDOM.EXAMPLE.COM (arcfour-hmac) 1 dns-dc4 at SAMDOM.EXAMPLE.COM (des-cbc-md5) 1 dns-dc4 at SAMDOM.EXAMPLE.COM (des-cbc-crc) Have you restarted the Samba DC ? Rowland
On Mon, 2019-04-29 at 18:56 +0100, Rowland Penny via samba wrote:> > That shouldn't make any difference, the 2003 level only used the > three > enctypes you have now, this is on one of my DC's: > > root at dc4:~# samba-tool domain level show > Domain and forest function level for domain > 'DC=samdom,DC=example,DC=com' > > Forest function level: (Windows) 2008 R2 > Domain function level: (Windows) 2008 R2 > Lowest function level of a DC: (Windows) 2008 R2 > root at dc4:~# klist -ke /root/dns.keytab > Keytab name: FILE:/root/dns.keytab > KVNO Principal > ---- ---------------------------------------------------------------- > ---------- > 1 dns-dc4 at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) > 1 dns-dc4 at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) > 1 dns-dc4 at SAMDOM.EXAMPLE.COM (arcfour-hmac) > 1 dns-dc4 at SAMDOM.EXAMPLE.COM (des-cbc-md5) > 1 dns-dc4 at SAMDOM.EXAMPLE.COM (des-cbc-crc) > > Have you restarted the Samba DC ?The password needs to be changed to get a new encryption type in the DB, and so therefore the keytab. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba