search for: git1e3a2e4

...wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#Connections_to_a_Samba_Domain_Member_Fail_After_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File Just remove the 'includedir' line. > > but it includes other file too from package > crypto-policies-20231204-1.git1e3a2e4.fc39.noarch > > $ ls -l /etc/krb5.conf.d > lrwxrwxrwx. 1 root root 42 17. led 01.00 crypto-policies -> > /etc/crypto-policies/back-ends/krb5.config > > [libdefaults] > permitted_enctypes = aes256-cts-hmac-sha384-192 > aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96...

...conf.d/crypto-policies or in main file /etc/krb5.conf So my conclusion is: these two enctypes are incompatible with samba-4.19.5 on Fedora 39 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 It is in file: /usr/share/crypto-policies/DEFAULT/krb5.txt from package crypto-policies-20231204-1.git1e3a2e4.fc39.noarch Pavel > > but it includes other file too from package > > crypto-policies-20231204-1.git1e3a2e4.fc39.noarch > > > > $ ls -l /etc/krb5.conf.d > > lrwxrwxrwx. 1 root root? 42 17. led 01.00 crypto-policies -> > > /etc/crypto-policies/back-ends/krb...

...ookup_kdc = true [realms] ${REALM} = { default_domain = ${DNSDOMAIN} } [domain_realm] ${HOSTNAME} = ${REALM} customized file /etc/krb5.conf.d/samba-dc is included in /etc/krb5.conf by this line includedir /etc/krb5.conf.d/ but it includes other file too from package crypto-policies-20231204-1.git1e3a2e4.fc39.noarch $ ls -l /etc/krb5.conf.d lrwxrwxrwx. 1 root root 42 17. led 01.00 crypto-policies -> /etc/crypto-policies/back-ends/krb5.config [libdefaults] permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-...

...onf > > > So my conclusion is: > these two enctypes are incompatible with samba-4.19.5 on Fedora 39 > > aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 > > > It is in file: /usr/share/crypto-policies/DEFAULT/krb5.txt > from package crypto-policies-20231204-1.git1e3a2e4.fc39.noarch > OK, I do not use Samba on Fedora, their DC packages use MIT kerberos and as such are classed as experimental. The krb5.conf I posted was for Heimdal and just works. I thought about it and remembered something, so checked the wiki, have a look at this: https://wiki.samba.org/inde...

On Fri, 05 Apr 2024 17:18:12 +0200 pavel.lisy at gmail.com wrote: > > Now I've found some differences in /etc/krb5.conf > and it seams to be possible root cause. > > I will write summary after further testing. > Ah, yes, I should have remembered that you are running 'experimental' DCs on Fedora and they do strange things to the krb5.conf. All you need is this: