Web lists-archives.com

Re: [Samba] Chromebook AD integration fails on joining the domain

Hello Mike,

Can be you need to recreate the machine and tgt password on yout server so it adds the aes enc types for these after raising the functional domai level.

The required scripts can be found in tthe samba sources in /source4/scripting/devel/

Use chdcpass for the machine-account and chgkrbtgtpass for the tgt account.

I did this on an single addc server a while back and had no issues. Never tried it on an setup with multiple addc's. So i#d recommend you make an backup/snapshot before you try it.


Am 27.12.2017 um 16:00 schrieb Mike Forsman via samba:

I am testing Google's recent ability to integrate Chromebooks into AD and
it's failing when I try to join the device to the domain. When I run
wireshark during the test I notice 2 TGS-REQs from the device that are
answered with KRB5KDC_ERR_ETYPE_NOSUPP. The Chromebook is only passing
AES256-cts-hmac-sha1-96 and AES128-cts-hmac-sha1-96 as enc types. I was
getting the same result from the device's AS-REQ, but got that to pass by
raising the domain level to 2008R2 and enabling AES in the user account
that I'm using to join the device to the domain.

Some pertinent info:

The domain is about 12 years old (started as a Samba 2 NT domain) and has
been updated several times.

Currently running 4.7

Samba was not built with MIT Kerberos.

So, the question - how do I get Samba to support AES for the TQS portion of
the exchange?


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba