[Samba] Updating OpenSSL from 1.x to 3 breaks kinit
Andrew Bartlett
abartlet at samba.org
Thu Nov 2 19:47:33 UTC 2023
On Thu, 2023-11-02 at 16:04 +0100, MATYAS, Tibor via samba wrote:
> Dear all,
>
> updating openssl from 1.1.x to 3.x on our gentoo systems (recompiled
> everything against the new openssl!)
> breaks kinit:
>
> kinit administrator at xxxx
> administrator at xxxx's Password:
> kinit: rc4 8: EVP_CipherInit_ex einit
>
> kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc
> dhcpduser at xxxx
> kinit: rc4 8: EVP_CipherInit_ex einit
>
> openssl list -cipher-algorithms | grep -i RC4
> RC4
> RC4-40
> RC4-HMAC-MD5
> unfortunately no solution found so far.
>
> Thanks in advance, Tibor
>
Try changing the administrator password so you get an AES key. Check
you have updated your domain functional level to 2008R2 (the current
default).
Samba doesn't ship kinit, that is MIT Kerberos (most likely) which will
be using OpenSSL for the crypto and may be restricted by the
limitations against old crypto. It may also be possible to disable
those limitations.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba
mailing list