So,
I've done some progress.
I've made configuration according this article
https://fedoramagazine.org/samba-as-ad-and-domain-controller/
they use sample kerberos config file from package samba-dc-provision:
sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc
[libdefaults]
default_realm = ${REALM}
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
${REALM} = {
default_domain = ${DNSDOMAIN}
}
[domain_realm]
${HOSTNAME} = ${REALM}
customized file /etc/krb5.conf.d/samba-dc is included in
/etc/krb5.conf by this line
includedir /etc/krb5.conf.d/
but it includes other file too from package
crypto-policies-20231204-1.git1e3a2e4.fc39.noarch
$ ls -l /etc/krb5.conf.d
lrwxrwxrwx. 1 root root 42 17. led 01.00 crypto-policies ->
/etc/crypto-policies/back-ends/krb5.config
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac
camellia128-cts-cmac
When I remove this file, command returns correct results
I suppose permitted_enctypes are not compatible with this samba version,
I'm not sure which one is missing. Any suggestions?
Pavel
p? 5. 4. 2024 v 17:29 odes?latel Rowland Penny via samba <
samba at lists.samba.org> napsal:
> On Fri, 05 Apr 2024 17:18:12 +0200
> pavel.lisy at gmail.com wrote:
>
> >
> > Now I've found some differences in /etc/krb5.conf
> > and it seams to be possible root cause.
> >
> > I will write summary after further testing.
> >
>
> Ah, yes, I should have remembered that you are running
'experimental'
> DCs on Fedora and they do strange things to the krb5.conf. All you need
> is this:
>
> [libdefaults]
> default_realm = DNS.DOMAIN.IN.CAPITALS
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> DNS.DOMAIN.IN.CAPITALS = {
> default_domain = dns.domain.in.lowercase
> }
>
> [domain_realm]
> SHORT_HOSTNAME_IN_CAPITALS = DNS.DOMAIN.IN.CAPITALS
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
On Fri, 5 Apr 2024 19:58:33 +0200 Pavel Lis? <pavel.lisy at gmail.com> wrote:> So, > > I've done some progress. > > I've made configuration according this article > https://fedoramagazine.org/samba-as-ad-and-domain-controller/ > they use sample kerberos config file from package samba-dc-provision: > > sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc > > > [libdefaults] > default_realm = ${REALM} > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > ${REALM} = { > default_domain = ${DNSDOMAIN} > } > > [domain_realm] > ${HOSTNAME} = ${REALM}Well yes, that is the same as the one I suggested> > customized file /etc/krb5.conf.d/samba-dc is included in > > /etc/krb5.conf by this line > > includedir /etc/krb5.conf.d/Known problem (that is supposed to be fixed) https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#Connections_to_a_Samba_Domain_Member_Fail_After_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File Just remove the 'includedir' line.> > but it includes other file too from package > crypto-policies-20231204-1.git1e3a2e4.fc39.noarch > > $ ls -l /etc/krb5.conf.d > lrwxrwxrwx. 1 root root 42 17. led 01.00 crypto-policies -> > /etc/crypto-policies/back-ends/krb5.config > > [libdefaults] > permitted_enctypes = aes256-cts-hmac-sha384-192 > aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac > > When I remove this file, command returns correct resultsOh you did, please do not put it back.> > I suppose permitted_enctypes are not compatible with this samba > version, I'm not sure which one is missing. Any suggestions? >No, Samba doesn't understand the 'includedir' line. Rowland