pavel.lisy at gmail.com
2024-Apr-05 19:17 UTC
[Samba] Strange problem with samba-tool dns query ...
On Fri, 2024-04-05 at 19:13 +0100, Rowland Penny via samba wrote:> On Fri, 5 Apr 2024 19:58:33 +0200 > Pavel Lis? <pavel.lisy at gmail.com> wrote: > > > So, > > > > I've done some progress. > > > > I've made configuration according this article > > https://fedoramagazine.org/samba-as-ad-and-domain-controller/ > > they use sample kerberos config file from package samba-dc- > > provision: > > > > sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc > > > > > > [libdefaults] > > default_realm = ${REALM} > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > [realms] > > ${REALM} = { > > default_domain = ${DNSDOMAIN} > > } > > > > [domain_realm] > > ${HOSTNAME} = ${REALM} > > Well yes, that is the same as the one I suggested > > > > customized file /etc/krb5.conf.d/samba-dc is included in > > > > /etc/krb5.conf by this line > > > > includedir /etc/krb5.conf.d/ > > Known problem (that is supposed to be fixed) > > https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#Connections_to_a_Samba_Domain_Member_Fail_After_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File > > Just remove the 'includedir' line. > >I'm not sure my samba version is including files from that directory without problems When I've removed first two permitted_enctypes: aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 to be: permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac command works No matter if this is included in file /etc/krb5.conf.d/crypto-policies or in main file /etc/krb5.conf So my conclusion is: these two enctypes are incompatible with samba-4.19.5 on Fedora 39 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 It is in file: /usr/share/crypto-policies/DEFAULT/krb5.txt from package crypto-policies-20231204-1.git1e3a2e4.fc39.noarch Pavel> > but it includes other file too from package > > crypto-policies-20231204-1.git1e3a2e4.fc39.noarch > > > > $ ls -l /etc/krb5.conf.d > > lrwxrwxrwx. 1 root root? 42 17. led 01.00 crypto-policies -> > > /etc/crypto-policies/back-ends/krb5.config > > > > [libdefaults] > > permitted_enctypes = aes256-cts-hmac-sha384-192 > > aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 > > aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac > > > > When I remove this file, command returns correct results > > Oh you did, please do not put it back. > > > > > I suppose permitted_enctypes are not compatible with this samba > > version, I'm not sure which one is missing. Any suggestions? > > > > No, Samba doesn't understand the 'includedir' line.See above> Rowland >
On Fri, 05 Apr 2024 21:17:45 +0200 pavel.lisy at gmail.com wrote:> On Fri, 2024-04-05 at 19:13 +0100, Rowland Penny via samba wrote: > > On Fri, 5 Apr 2024 19:58:33 +0200 > > Pavel Lis? <pavel.lisy at gmail.com> wrote: > > > > > So, > > > > > > I've done some progress. > > > > > > I've made configuration according this article > > > https://fedoramagazine.org/samba-as-ad-and-domain-controller/ > > > they use sample kerberos config file from package samba-dc- > > > provision: > > > > > > sudo cp /usr/share/samba/setup/krb5.conf /etc/krb5.conf.d/samba-dc > > > > > > > > > [libdefaults] > > > default_realm = ${REALM} > > > dns_lookup_realm = false > > > dns_lookup_kdc = true > > > > > > [realms] > > > ${REALM} = { > > > default_domain = ${DNSDOMAIN} > > > } > > > > > > [domain_realm] > > > ${HOSTNAME} = ${REALM} > > > > Well yes, that is the same as the one I suggested > > > > > > customized file /etc/krb5.conf.d/samba-dc is included in > > > > > > /etc/krb5.conf by this line > > > > > > includedir /etc/krb5.conf.d/ > > > > Known problem (that is supposed to be fixed) > > > > https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#Connections_to_a_Samba_Domain_Member_Fail_After_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File > > > > Just remove the 'includedir' line. > > > > I'm not sure > > my samba version is including files from that directory without > problems > > > When I've removed first two permitted_enctypes: > > aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 > > to be: > permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > camellia256-cts-cmac camellia128-cts-cmac > > command works > > No matter if this is included in file > /etc/krb5.conf.d/crypto-policies or in main file /etc/krb5.conf > > > So my conclusion is: > these two enctypes are incompatible with samba-4.19.5 on Fedora 39 > > aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 > > > It is in file: /usr/share/crypto-policies/DEFAULT/krb5.txt > from package crypto-policies-20231204-1.git1e3a2e4.fc39.noarch >OK, I do not use Samba on Fedora, their DC packages use MIT kerberos and as such are classed as experimental. The krb5.conf I posted was for Heimdal and just works. I thought about it and remembered something, so checked the wiki, have a look at this: https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC NOTE, the wiki is written from the point of view of a self compiled Samba, so the paths will not quite match yours. Rowland