Alexander Bokovoy <abokovoy(a)redhat.com> writes:
On ke, 04 syys 2019, alciregi(a)gmail.com wrote:
>On Mon, 2019-09-02 at 17:14 +0200, Dario Lesca wrote:
>>
>> After few minutes almost everything work well, except for a thing ...
>> all windows PC cannot access to others windows PC.
>
> Hey Dario.
> Since in recent days I was testing and evaluating Samba as an AD domain
> controller, but using another distro, I decided to configure a F30
> server, and try to test what are you experiencing.
>
> I can see a lot of the messages you reported:
>
> Sep 03 01:14:09 adc1 krb5kdc[4059](info): TGS_REQ (5 etypes {aes256-
> cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> DEPRECATED:arcfour- hmac(23), DEPRECATED:arcfour-hmac-exp(24),
> (-135)}) 10.97.69.24: ISSUE: authtime 1567589350, etypes
> {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
> ses=aes256-cts-hmac-sha1-96(18)}, WINUNO$(a)MY.LAN for
> krbtgt/MY.LAN(a)MY.LAN
This is not an issue. The message above is normal. It says that WINUNO
machine asked for an initial Kerberos ticket granting ticket, asking for
one of 5 encryption types and got it granted with AES256. The textual
description of those encryption types is a feature we added upstream
this year. DEPRECATED: prefix tells that a particular encryption type is
weak and is marked for removal in future versions of Kerberos (there are
RFCs for this removal).
Indeed, they are
https://tools.ietf.org/html/rfc8429 and
https://tools.ietf.org/html/rfc6649
The changes are part of
https://fedoraproject.org/wiki/Changes/krb5_crypto_modernization
"Deprecated" has its usual meaning in this context: you should look into
migrating to another enctype if at all possible, and disabling support
for it when you have (because it will be gone in the future, probably
sometime next year).
Thanks,
--Robbie