On Thu, 2004-02-12 at 07:32, Joe Howell wrote: > No bueno. I changed the enctypes and took the "encrypt passwords=yes" out, but > still no reply and no computer account..... > > > [EMAIL PROTECTED] wrote: > > > > > [libdefaults] > default_realm =MYDOMAIN.COM > clockskew = 300 > default_tkt_enctypes = des-cbc-crc > default_tgs_enctypes = des-cbc-crc > > > Change the enctypes to: des-cbc-crc as shown above. Also, if you do a > testparam I'll bet that the encrypt passwords = yes entry is going to give > you grief. Besides kerberos is encrypted anyway. Another thing to consider > is flushing the NetBIOS cache on your wins and kdc server - don't know if > this does anything, but it makes me feel better (nbtstat -R).
I'm sorry, but almost every piece of the above advise is incorrect. encrypt passwords = yes is required for clients to contact us, as a kerberised server. When we contact AD (ie, in winbind) then we use kerberos anyway. (And at a protocol level, this is regarded as encrypted passwords). The enc types (for MIT 1.3.1) should be set to include 'arcfour-hmac-md5', as this is unsalted (removes name issues) and will always allow the administrator to login, even if they have not changed their password since AD was turned on. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba