So, I've done some progress. I've made configuration according this article https://fedoramagazine.org/samba-as-ad-and-domain-controller/ they use sample kerberos config file from package samba-dc-provision: sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc [libdefaults] default_realm = ${REALM} dns_lookup_realm = false dns_lookup_kdc = true [realms] ${REALM} = { default_domain = ${DNSDOMAIN} } [domain_realm] ${HOSTNAME} = ${REALM} customized file /etc/krb5.conf.d/samba-dc is included in /etc/krb5.conf by this line includedir /etc/krb5.conf.d/ but it includes other file too from package crypto-policies-20231204-1.git1e3a2e4.fc39.noarch $ ls -l /etc/krb5.conf.d lrwxrwxrwx. 1 root root 42 17. led 01.00 crypto-policies -> /etc/crypto-policies/back-ends/krb5.config [libdefaults] permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac When I remove this file, command returns correct results I suppose permitted_enctypes are not compatible with this samba version, I'm not sure which one is missing. Any suggestions? Pavel p? 5. 4. 2024 v 17:29 odes?latel Rowland Penny via samba < samba at lists.samba.org> napsal:> On Fri, 05 Apr 2024 17:18:12 +0200 > pavel.lisy at gmail.com wrote: > > > > > Now I've found some differences in /etc/krb5.conf > > and it seams to be possible root cause. > > > > I will write summary after further testing. > > > > Ah, yes, I should have remembered that you are running 'experimental' > DCs on Fedora and they do strange things to the krb5.conf. All you need > is this: > > [libdefaults] > default_realm = DNS.DOMAIN.IN.CAPITALS > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > DNS.DOMAIN.IN.CAPITALS = { > default_domain = dns.domain.in.lowercase > } > > [domain_realm] > SHORT_HOSTNAME_IN_CAPITALS = DNS.DOMAIN.IN.CAPITALS > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Fri, 5 Apr 2024 19:58:33 +0200 Pavel Lis? <pavel.lisy at gmail.com> wrote:> So, > > I've done some progress. > > I've made configuration according this article > https://fedoramagazine.org/samba-as-ad-and-domain-controller/ > they use sample kerberos config file from package samba-dc-provision: > > sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc > > > [libdefaults] > default_realm = ${REALM} > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > ${REALM} = { > default_domain = ${DNSDOMAIN} > } > > [domain_realm] > ${HOSTNAME} = ${REALM}Well yes, that is the same as the one I suggested> > customized file /etc/krb5.conf.d/samba-dc is included in > > /etc/krb5.conf by this line > > includedir /etc/krb5.conf.d/Known problem (that is supposed to be fixed) https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#Connections_to_a_Samba_Domain_Member_Fail_After_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File Just remove the 'includedir' line.> > but it includes other file too from package > crypto-policies-20231204-1.git1e3a2e4.fc39.noarch > > $ ls -l /etc/krb5.conf.d > lrwxrwxrwx. 1 root root 42 17. led 01.00 crypto-policies -> > /etc/crypto-policies/back-ends/krb5.config > > [libdefaults] > permitted_enctypes = aes256-cts-hmac-sha384-192 > aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac > > When I remove this file, command returns correct resultsOh you did, please do not put it back.> > I suppose permitted_enctypes are not compatible with this samba > version, I'm not sure which one is missing. Any suggestions? >No, Samba doesn't understand the 'includedir' line. Rowland