On Fri, 5 Apr 2024 19:58:33 +0200 Pavel Lis? <pavel.lisy at gmail.com> wrote:> So, > > I've done some progress. > > I've made configuration according this article > https://fedoramagazine.org/samba-as-ad-and-domain-controller/ > they use sample kerberos config file from package samba-dc-provision: > > sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc > > > [libdefaults] > default_realm = ${REALM} > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > ${REALM} = { > default_domain = ${DNSDOMAIN} > } > > [domain_realm] > ${HOSTNAME} = ${REALM}Well yes, that is the same as the one I suggested> > customized file /etc/krb5.conf.d/samba-dc is included in > > /etc/krb5.conf by this line > > includedir /etc/krb5.conf.d/Known problem (that is supposed to be fixed) https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#Connections_to_a_Samba_Domain_Member_Fail_After_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File Just remove the 'includedir' line.> > but it includes other file too from package > crypto-policies-20231204-1.git1e3a2e4.fc39.noarch > > $ ls -l /etc/krb5.conf.d > lrwxrwxrwx. 1 root root 42 17. led 01.00 crypto-policies -> > /etc/crypto-policies/back-ends/krb5.config > > [libdefaults] > permitted_enctypes = aes256-cts-hmac-sha384-192 > aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac > > When I remove this file, command returns correct resultsOh you did, please do not put it back.> > I suppose permitted_enctypes are not compatible with this samba > version, I'm not sure which one is missing. Any suggestions? >No, Samba doesn't understand the 'includedir' line. Rowland
pavel.lisy at gmail.com
2024-Apr-05 19:17 UTC
[Samba] Strange problem with samba-tool dns query ...
On Fri, 2024-04-05 at 19:13 +0100, Rowland Penny via samba wrote:> On Fri, 5 Apr 2024 19:58:33 +0200 > Pavel Lis? <pavel.lisy at gmail.com> wrote: > > > So, > > > > I've done some progress. > > > > I've made configuration according this article > > https://fedoramagazine.org/samba-as-ad-and-domain-controller/ > > they use sample kerberos config file from package samba-dc- > > provision: > > > > sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc > > > > > > [libdefaults] > > default_realm = ${REALM} > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > [realms] > > ${REALM} = { > > default_domain = ${DNSDOMAIN} > > } > > > > [domain_realm] > > ${HOSTNAME} = ${REALM} > > Well yes, that is the same as the one I suggested > > > > customized file /etc/krb5.conf.d/samba-dc is included in > > > > /etc/krb5.conf by this line > > > > includedir /etc/krb5.conf.d/ > > Known problem (that is supposed to be fixed) > > https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#Connections_to_a_Samba_Domain_Member_Fail_After_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File > > Just remove the 'includedir' line. > >I'm not sure my samba version is including files from that directory without problems When I've removed first two permitted_enctypes: aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 to be: permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac command works No matter if this is included in file /etc/krb5.conf.d/crypto-policies or in main file /etc/krb5.conf So my conclusion is: these two enctypes are incompatible with samba-4.19.5 on Fedora 39 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 It is in file: /usr/share/crypto-policies/DEFAULT/krb5.txt from package crypto-policies-20231204-1.git1e3a2e4.fc39.noarch Pavel> > but it includes other file too from package > > crypto-policies-20231204-1.git1e3a2e4.fc39.noarch > > > > $ ls -l /etc/krb5.conf.d > > lrwxrwxrwx. 1 root root? 42 17. led 01.00 crypto-policies -> > > /etc/crypto-policies/back-ends/krb5.config > > > > [libdefaults] > > permitted_enctypes = aes256-cts-hmac-sha384-192 > > aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 > > aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac > > > > When I remove this file, command returns correct results > > Oh you did, please do not put it back. > > > > > I suppose permitted_enctypes are not compatible with this samba > > version, I'm not sure which one is missing. Any suggestions? > > > > No, Samba doesn't understand the 'includedir' line.See above> Rowland >