On Mon, 02 Sep 2019, Nico Kadel-Garcia wrote:
On Mon, Sep 2, 2019 at 1:56 PM Alessio <alcir...@gmail.com> wrote:
On Mon, Sep 2, 2019, 5:16 PM Dario Lesca <d.le...@solinos.it> wrote:
After few minutes almost everything work well, except for a thing ...
all windows PC cannot access to others windows PC.
Wait. I'm not an expert. Said that, are we sure that the cause is krb MIT? Also
on the samba ml it seems a supposition.
Windows PCs are all running windows7?
The same happens with windows 10?
And all these deprecated entries?
krb5kdc[6764](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18),
aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23),
DEPRECATED:arcfour-hmac-exp(24), (-135), DEPRECATED:des-cbc-md5(3)})
As one of the people who backport current releases Samba to RHEL 7,
with the domain controller enabled, I can vouch that "yes, it's the
Kerberos". My work is over at https://github.com/nkadel/samba4repo,
and it seems to work fairly well with Fedora 30, though I've not
tested it as thoroughly. I have some test rigs in place for samba
4.11rc2 there.
The samba default values are all, by default, set as simply and
generally as possible. Activation of a real domain requires a good
deal of control and authority over local DNS, and the minimal setup
works really well for testers who don't need to start with all that
power and strenuous requirements.
II'd urge you to hop over to the samba-devel or samba mailing lists,
post your smb.conf and version of Samba, and look for debugging help
there.
As I said in the other response, we need bugs with debug logs and
network traces. Handwaving 'Windows PC cannot see Windows PC' does not
help us to help you to solve the problems you are seeing.
MIT Kerberos in Fedora 30 and rawhide did actively deprecate using of
weak crypto. RC4 is still accessible but system-wide crypto policy blocks its
use by default, so this might explain inability to authenticate with
NTLMSSP, for example (as opposed to use of AES ciphers). So there are
multiple factors that might affect use of Samba AD DC with MIT backend
on Fedora.
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
