Web lists-archives.com

[Samba] Chromebook AD integration fails on joining the domain


I am testing Google's recent ability to integrate Chromebooks into AD and
it's failing when I try to join the device to the domain. When I run
wireshark during the test I notice 2 TGS-REQs from the device that are
answered with KRB5KDC_ERR_ETYPE_NOSUPP. The Chromebook is only passing
AES256-cts-hmac-sha1-96 and AES128-cts-hmac-sha1-96 as enc types. I was
getting the same result from the device's AS-REQ, but got that to pass by
raising the domain level to 2008R2 and enabling AES in the user account
that I'm using to join the device to the domain.

Some pertinent info:

The domain is about 12 years old (started as a Samba 2 NT domain) and has
been updated several times.

Currently running 4.7

Samba was not built with MIT Kerberos.

So, the question - how do I get Samba to support AES for the TQS portion of
the exchange?

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba