On ke, 04 syys 2019, alciregi@xxxxxxxxx wrote:
On Mon, 2019-09-02 at 17:14 +0200, Dario Lesca wrote:
After few minutes almost everything work well, except for a thing ...
all windows PC cannot access to others windows PC.
Hey Dario.
Since in recent days I was testing and evaluating Samba as an AD domain
controller, but using another distro, I decided to configure a F30
server, and try to test what are you experiencing.
I can see a lot of the messages you reported:
Sep 03 01:14:09 adc1 krb5kdc[4059](info): TGS_REQ (5 etypes {aes256-
cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-
hmac(23), DEPRECATED:arcfour-hmac-exp(24), (-135)}) 10.97.69.24: ISSUE:
authtime 1567589350, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
WINUNO$@MY.LAN for krbtgt/MY.LAN@xxxxxx
This is not an issue. The message above is normal. It says that WINUNO
machine asked for an initial Kerberos ticket granting ticket, asking for
one of 5 encryption types and got it granted with AES256. The textual
description of those encryption types is a feature we added upstream
this year. DEPRECATED: prefix tells that a particular encryption type is
weak and is marked for removal in future versions of Kerberos (there are
RFCs for this removal).
But authentication and access to Windows machines (I'm using Windows
10) seems ok: I can join the domain and I can log in with the domain
administrator and with a user crated on the samba server.
Then, it is true that I can't browse the network from the windows PC,
but it could be a group policy or something else.
Network browsing requires either NetBIOS working or LLMNR (the latter is
not implemented by Samba). If you aren't running nmbd, you are not
advertising your servers. Or may be your Windows clients have NetBIOS
discovery disabled.
Accessing a folder shared by windows machine 1 from windows machine 2
doesn't work... if I use the computer name or the fqdn (name resolution
works using nslookup). But if I use the IP address I'm able to access
the shared folder.
In the bug that Dario filed, I can see problems with his Windows machine
using low-cased machine name while authenticating with its machine
account to Samba DC -- while being joined with all upper case name. E.g.
using 'foo' instead of 'FOO' as its account name. This doesn't work with
Kerberos because Kerberos is case-sensitive. But somehow it also doesn't
work with NTLM requests in his logs.
Using another distro, I was able to access the shared folder using the
computer name as well.
What is the beavihour you are observing?
What I mean is: maybe the issue is something in some little
configuration and not a big incompatibility issue preventing you to use
Fedora as DC.
P.S. if this list is not the right place to discuss such topic, we can
go elsewhere.
We can use https://bugzilla.redhat.com/show_bug.cgi?id=1748860 -- provide your logs there too.
I still need to see network traces that show breakage between Windows clients.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
