Doug VanLeuven wrote:
Then I converted it to your system of using a ktpass.exe generated
keytab using rc4-hmac.
Stopped samba
edit smb.conf and remove "use kerberos keytab = yes"
Deleted the existing computer account in AD
Deleted the existing mapped user account in AD
Deleted /etc/krb5.keytab
Edit krb5.conf and add rc4-hmac as -first- enctype in list for
default_tgs_enctypes, default_tkt_enctypes, permitted_enctypes
Deleted samba's private.tdb
Deleted samba's winbindd_cache.tdb (just in case)
Created a new windows user account to be used for mapping in ktpass.exe
Ran ktpass.exe on domain controller with "-DesOnly"
Read the new keytab and write /etc/krb5.conf with it
^^^^
Typo: should be /etc/krb5.keytab
Run "net ads join"
Ethereal trace on port 88 show rc4-hmac negotiated tickets
Using a ktpass.exe generated keytab, the AD computer account and the
AD mapped user account attribute userAccountControl must agree on the
flag UF_USE_DES_KEY_ONLY. They either both indicate it or they
both don't indicate it, but they can't be mixed.
We'll be enjoying Thanksgiving holiday here.
Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
