You are not logged in.
Hello all,
Long-time Arch user but first-time poster... hope you don't hold it against me....
Boy, this one has me stumped. I'm trying to join an up-to-date Arch system to a Windows Server 2012 R2 AD domain using the command below. I have followed the instructions in Active Directory Integration as well as Setting Up Samba As A Domain Member precisely and everything was peachy up until the step to join the domain. I am able to get a TGT just fine (using kinit administrator@DOMAIN.COM; confirmed with klist) with the same credentials I am using to (attempt to) join the domain. When I run the following:
net ads join -U administratorI get this every time:
secrets_domain_info_kerberos_keys: generation of a des-cbc-md5 key failed: Bad encryption type
secrets_store_JoinCtx: secrets_domain_info_password_create(pw) failed for DOMAIN - NT_STATUS_UNSUCCESSFUL
libnet_join_joindomain_store_secrets: secrets_store_JoinCtx() failed NT_STATUS_UNSUCCESSFUL
Failed to join domain: This machine is not currently joined to a domain.Seems to be an issue with DES, which makes sense since it's been deprecated for years now. However, AD is not configured to use DES encryption and MIT Kerberos recently removed support for single DES completely. I even added the following lines to krb5.conf:
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96... and this one to smb.conf:
kerberos encryption types = strong...to no avail. In addition, a packet capture of the domain join process shows absolutely no mention of DES anywhere, and even seems like the process completes successfully (to my non-Kerberos-trained eyes). But I still get the errors above.
In AD, the Default Domain Policy, Default Domain Controller Policy, and the administrator account I'm using to join the Arch instance to the domain all have the msDS-SupportedEncryptionTypes attribute set to integer 28, which specifies support for:
RC4_HMAC_MD5
AES128_CTS_HMAC_SHA1_96
AES256_CTS_HMAC_SHA1_96
Oddly, the computer account does appear in AD even though I get the errors above. However, further commands such as "wbinfo -u" error out, indicating that the machine may not be joined to a domain. Along that line, I tried creating the computer account myself in AD prior to attempting to join, with the msDS-SupportedEncryptionTypes attribute already set, but no go.
Needless to say, I'm at a loss. Anyone have any insight? I will post my krb5.conf and smb.conf below. Thanks!!
krb5.conf:
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
allow_weak_crypto = false
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96smb.conf:
[Global]
workgroup = DOMAIN
realm = DOMAIN.COM
security = ads
idmap config * : backend = tdb
idmap config * : range = 10000-20000
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 20001 - 30000
vfs objects = acl_xattr
store dos attributes = Yes
winbind use default domain = Yes
winbind refresh tickets = yes
kerberos encryption types = strong
template shell = /bin/bash
template homedir = /home/%D/%U
preferred master = no
dns proxy = no
wins proxy = no
inherit acls = Yes
map acl inherit = Yes
acl group control = yes
load printers = no
debug level = 3
use sendfile = noLast edited by TertiaryAdjunct (2020-04-20 01:39:22)
Offline
Samba packages are currently broken with MIT krb5-1.18. The dependency on krb5 should hopefully be going away, but for now, try downgrading to krb5-1.17 and see if that fixes the issue. Hopefully it'll be fixed soon.
Offline
That did the trick!! Many thanks!!
Offline