thr3ads.net - samba - [Samba] Strange problem with samba-tool dns query ... [Apr 2024]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2024-Apr-05 15:28 UTC

[Samba] Strange problem with samba-tool dns query ...

On Fri, 05 Apr 2024 17:18:12 +0200
pavel.lisy at gmail.com wrote:
> 
> Now I've found some differences in /etc/krb5.conf
> and it seams to be possible root cause.
> 
> I will write summary after further testing.
> 
Ah, yes, I should have remembered that you are running 'experimental'
DCs on Fedora and they do strange things to the krb5.conf. All you need
is this:

[libdefaults]
	default_realm = DNS.DOMAIN.IN.CAPITALS
	dns_lookup_realm = false
	dns_lookup_kdc = true

[realms]
	DNS.DOMAIN.IN.CAPITALS = {
		default_domain = dns.domain.in.lowercase
	}

[domain_realm]
	SHORT_HOSTNAME_IN_CAPITALS = DNS.DOMAIN.IN.CAPITALS

Rowland

Pavel Lisý

2024-Apr-05 17:58 UTC

head link

[Samba] Strange problem with samba-tool dns query ...

So,

I've done some progress.

I've made configuration according this article
https://fedoramagazine.org/samba-as-ad-and-domain-controller/
they use sample kerberos config file from package samba-dc-provision:

sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc


[libdefaults]
default_realm = ${REALM}
dns_lookup_realm = false
dns_lookup_kdc = true

[realms]
${REALM} = {
default_domain = ${DNSDOMAIN}
}

[domain_realm]
${HOSTNAME} = ${REALM}

customized file /etc/krb5.conf.d/samba-dc is included in

/etc/krb5.conf by this line

includedir /etc/krb5.conf.d/

but it includes other file too from package
crypto-policies-20231204-1.git1e3a2e4.fc39.noarch

$ ls -l /etc/krb5.conf.d
lrwxrwxrwx. 1 root root  42 17. led 01.00 crypto-policies ->
/etc/crypto-policies/back-ends/krb5.config

[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac
camellia128-cts-cmac

When I remove this file, command returns correct results

I suppose permitted_enctypes are not compatible with this samba version,
I'm not sure which one is missing. Any suggestions?

Pavel


p? 5. 4. 2024 v 17:29 odes?latel Rowland Penny via samba <
samba at lists.samba.org> napsal:
> On Fri, 05 Apr 2024 17:18:12 +0200
> pavel.lisy at gmail.com wrote:
>
> >
> > Now I've found some differences in /etc/krb5.conf
> > and it seams to be possible root cause.
> >
> > I will write summary after further testing.
> >
>
> Ah, yes, I should have remembered that you are running
'experimental'
> DCs on Fedora and they do strange things to the krb5.conf. All you need
> is this:
>
> [libdefaults]
>         default_realm = DNS.DOMAIN.IN.CAPITALS
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> [realms]
>         DNS.DOMAIN.IN.CAPITALS = {
>                 default_domain = dns.domain.in.lowercase
>         }
>
> [domain_realm]
>         SHORT_HOSTNAME_IN_CAPITALS = DNS.DOMAIN.IN.CAPITALS
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Possibly Parallel Threads

Search for more maybe matching threads

samba - Apr 2024 - Strange problem with samba-tool dns query ...

[Samba] Strange problem with samba-tool dns query ...

[Samba] Strange problem with samba-tool dns query ...

Possibly Parallel Threads