[Samba] samba caching a broken krb5.conf.NETBIOSDOMAINNAME

Rob Townley rob.townley at gmail.com
Mon Dec 14 10:17:29 MST 2009 

i am in a mixed win2000 and win2003 R1 ActiveDirectory environment.
Have always had ntlmv2 server and client required.  LM and NTLM have
always been rejected.  That is how it has been for 10 years.

Mounting from CentOS 5 to the windows servers has not been an issue
for years.  However, using ADS credentials for Linux workstation
logons has always been a issue.  If using ADS credentials to logon to
a Linux workstation worked once, it would stop working for no apparent
reason very quickly.  The problem seems to be that samba kerberos
wants to revert to using very old encryption technology that is
probably on par with plain LM.

How can i force samba to use and _KEEP_USING_ the better security
enctypes?  i am no expert, but you don't have to be an expert to know
that aes is better than des-cbc-crc .   des was broken in 1998, why is
samba kerberos trying to use it?  Win 95 LM uses DES -- look at
lmHash() documented at http://davenport.sourceforge.net/ntlm.html.

We have been using our CentOS clients to mount with ntlmv2i so why
would attempts at joining the ADS domain fail with "stronger
authentication required"?
mount -t cifs //ADScontroller/share /mnt/ntlmv2iprotected  --verbose
-o username=user at dnsdomainname.com,sec=ntlmv2i

Success with "kinit admin at dnsdomainname.com"

But then "net -d 10 ads join -U admin at dnsdomainname.com" would fail
with "stronger authentication required."   I wondering why stronger
auth would be needed by ADS when i am already mounting a file share on
the ADS domain controller using ntlmv2i?

The answer is in "klist -e" and
/var/cache/samba/smb_krb5/krb5.conf.NETBIOSDOMAINNAME:
  default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
  default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
  preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5

Deleted the samba cache and added the following to /etc/krb5.conf and
it worked once to join the domain and logon a CentOS box with ADS
credentials.
i could even map a drive letter from our Win2003 box to the CentOS
share using ADS credentials.
  default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
  default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
  permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5

The samba cached krb5.conf.NETBIOSDOMAINNAME would come back populated
with weak and incompatible encryption types while /etc/krb5.conf would
still have decent enctypes.  Then my account is locked out in ADS.

So how can i permanently force samba to use the better enctypes?
Disable it from ever using weak encryption such as DES?   Triple DES
des3-hmac-sha1 would be ok.
How does one find the exact enctypes ADS will accept?  There must be a
command or ldap location but i had many problems finding it.




The following are all previously documented problems related to this.
Symptoms left here for when others search.

kinit succeeded but ads_sasl_spnego_krb5_bind failed

[Samba] winbind and smb tries to auth as pdc$ rather than local name
when using ADS
http://lists.samba.org/archive/samba/2009-October/150849.html

More information about the samba mailing list