If krb5.conf does not contain arcfour-hmac-md5 in the list of enctypes domain joins (and probably other interactions) are not successful.
The symptom can be found in the log files when having a debug level 2:
GSS(krb5) Update failed: Miscellaneous failure (see text): failed to find PDC$@REALM(kvno 1) in keytab /usr/local/samba/private/secrets.keytab (arcfour-hmac-md5)
It can be solved by adding arcfour-hmac-md5 to the list of enctypes or to revert to the defaults by commenting out these lists.
This should at the very least be mentioned in the current howto.txt.
Additionally it would be nice to know that samba4 actually relies on krb5.conf which is not mentioned either in the howto.txt
forgot to mention that the keytab file needs to be re-generated if the list of enc-types changes
We now use a fixed list of enc types in the secrets and server-side password store, so this shouldn't be an issue any more.
We still however read the krb5.conf for some things, and this should be better documented.
So, how far are we with this?
An example krb5.conf is now generated by the provision. It seems best not to specify encryption types at all, and let the libs use their sensible defaults.
Ok. So considered your comment this is now appropriately fixed, isn't it?
Andrew, whats your opinion: Closing or leave this open?
I'll close this for now. If you aren't satisfied with our work, please reopen!