On 10/06/2023 17:12, Rowland Penny via samba wrote:> > > On 10/06/2023 16:38, Dale Renton via samba wrote: >> On Thu, Jun 1, 2023 at 9:35?AM Rowland Penny via samba < >> samba at lists.samba.org> wrote: >>> Can you raise the log level and see if anything helpful pops out ? >> >> Ok, so I raised the winbind log level to 10 in smb.conf and compared 4.16 >> to 4.17.? In 4.17 I'm getting a "Could not create private krb5.conf" >> followed by "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND".? These errors are >> not >> happening in 4.16.? Thoughts? > > That's because the code for that wasn't in 4.16.x , it was added to the > code that became 4.17.0 , see here: > > https://git.samba.org/?p=samba.git;a=commitdiff;h=5aa6b85cd90a14d66c966e2eb1b878bdcbf937c5 > > Rowland > >Dale, just checking back on what you posted earlier and you had: create krb5 conf = no in your smb.conf Is that line still there ? If so, try removing it. If it works, can you post the contents of /etc/krb5.conf Rowland
That might be the right direction. The standard kerb5.conf on rhel/rocky breaks samba. At least for us. That is why we always replace it with a custom one. Regards Christian Am 10. Juni 2023 18:48:28 MESZ schrieb Rowland Penny via samba <samba at lists.samba.org>:> > >On 10/06/2023 17:12, Rowland Penny via samba wrote: >> >> >> On 10/06/2023 16:38, Dale Renton via samba wrote: >>> On Thu, Jun 1, 2023 at 9:35?AM Rowland Penny via samba < >>> samba at lists.samba.org> wrote: >>>> Can you raise the log level and see if anything helpful pops out ? >>> >>> Ok, so I raised the winbind log level to 10 in smb.conf and compared 4.16 >>> to 4.17.? In 4.17 I'm getting a "Could not create private krb5.conf" >>> followed by "NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND".? These errors are not >>> happening in 4.16.? Thoughts? >> >> That's because the code for that wasn't in 4.16.x , it was added to the code that became 4.17.0 , see here: >> >> https://git.samba.org/?p=samba.git;a=commitdiff;h=5aa6b85cd90a14d66c966e2eb1b878bdcbf937c5 >> >> Rowland >> >> > >Dale, just checking back on what you posted earlier and you had: > >create krb5 conf = no > >in your smb.conf > >Is that line still there ? >If so, try removing it. > >If it works, can you post the contents of /etc/krb5.conf > >Rowland > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
On Sat, Jun 10, 2023 at 1:49?PM Rowland Penny via samba < samba at lists.samba.org> wrote:> Dale, just checking back on what you posted earlier and you had: > > create krb5 conf = no > > in your smb.conf > > Is that line still there ? > If so, try removing it. > > If it works, can you post the contents of /etc/krb5.confIf I remove the create krb5.conf line getent works. So I figured I would just copy the contents of /var/lib/samba/lock/smb_krb5/krb5.conf.EXAMPLEAD to /etc/krb5.conf excluding the "include /etc/krb5.conf" line. To my surprise when I add back the "create krb5.conf = no" line to smb.conf getent stop working, even though /etc/krb5.conf is equal to /var/lib/samba/lock/smb_krb5/krb5.conf.EXAMPLEAD. I tried what Rownland and Christian suggested for the /etc/krb5.conf file with no success. I also commented out the lines in /etc/krb5.conf.d/crypto-policies. Here is what I currently have, the same as /var/lib/samba/lock/smb_krb5/krb5.conf.EXAMPLEAD. [libdefaults] default_realm = AD.EXAMPLE.COM default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC dns_lookup_realm = false dns_lookup_kdc = true [realms] AD.EXAMPLE.COM = { kdc = 192.168.1.1 kdc = 192.168.1.2 } EXAMPLEAD = { kdc = 192.168.1.1 kdc = 192.168.1.2 } Thanks, Dale