I'm using samba to replace AD because of a view windows clients, but the forest users aren't able to login on each other domains. The password is authenticated fine, but seems that the host isn't. I have 2 domain: ra.example.com ipa.ra.example.com: freeipa (tried with v4.6.8-5.el7.centos.10 on CentOS 7.9 and 4.9.6-6.module+el8.5.0+674+69615a50 on Rocky Linux 8.5, both updated to latest version to the date) client.ra.example.com: rocky linux 8.5 client (configure with ipa-client-install) ad.example.com samba.ad.example.com Fedora 35 server and samba 4.15.5-0.fc35 (domain configure with the command: samba-tool domain provision --use-rfc2307 --interactive) client.ad.example.com Rocky Linux 8.5 configured with realmd Windows 10 Pro After install, trusted was created with the command: # ipa trust-add --two-way true --admin Administrator ad.example.com and 2 users: ipauser@ra.example.com and smbuser@ad.example.com With smbuser I can only log in only in the Windows machine. "kinit smbuser" works fine on samba.ad and client.ad, but "id smbuser@ad.example.com" doesn't work as well. From client.ra and ipa.ra I can kinit and id the user, but the login fails. The only error message I'm able to track is this one on /var/log/samba/mit_kdc.log Feb 28 20:12:23 samba.ad.example.com krb5kdc[1096](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 192.168.122.23: PROCESS_TGS: authtime 0, etypes {rep=UNSUPPORTED:(0)} <unknown client> for krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM, No matching key in entry With ipauser I can log in at ipa.ra and client.ra. At samba.ad and client.ad, kinit ipauser@ra.example.com nor login works. On the windows machine the login fails with the message: "Insufficient system resources exist to complete the requested service". and the /var/log/samba/mit_kdc.log shows the message: Feb 28 20:14:13 samba.ad.example.com krb5kdc[1096](info): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) 192.168.122.22: PROCESS_TGS: authtime 0, etypes {rep=UNSUPPORTED:(0)} <unknown client> for host/win10pro.ad.example.com@AD.EXAMPLE.COM, No matching key in entry If a wrong password is used, it fails, as expected. I tried to add "log level 50" but the mit_kdc.log doesn't add any extra information. If a wrong password is used, it fails Does anyone have a clue how to work with the cross-domain users? Previous versions used to work fine, but a brand new installation isn't working anymore.
anyone??