[cifs-protocol] AES256 Kerberos encryption in Samba

Stefan (metze) Metzmacher metze at samba.org
Tue Mar 3 09:35:41 MST 2015 

Am 27.02.2015 um 22:13 schrieb Sim Josh:
> Hi all,
> I recently installed Samba 4.1.13 on my Linux machine and I am connecting
> it to a windows domain on the domain controller with Windows server 2008 R2
> Standard as the OS.
> 
> My Samba setup is able to successfully join the windows domain. The
> Kerberos encryption type used during Session setup (from the wireshark
> traces) is AES256 (eTYPE_AES256_CTS_HMAC_SHA1_96).
> 
> However, when I map a share to the Samba server from a windows 7 client, I
> see that the ticket obtained from the Kerberos on the domain controller is
> encrypted in an older encryption type - eTYPE_ARCFOUR_HMAC_MD5. This ticket
> is later used by the windows client to communicate with the Samba server.
> 
> So the problem that I am seeing is that windows 7 client is not using
> AES256 for encryption when I map a share to Samba server, but AES256 is
> being used during join domain.
> I searched through Samba documentation but could not find much about this.
> 
> Does Samba 4 support AES256 Kerberos encryption? If so, is there anything
> wrong with my configuration on the Samba server side?

This behaviour is controlled by the msDS-SupportedEncryptionTypes
attribute on
the computer account in active directory, see
http://blogs.msdn.com/b/openspecification/archive/2009/09/12/msds-supportedencryptiontypes-episode-1-computer-accounts.aspx

Samba 4.2 will have new subcommands for "net":

   ADS ENCTYPES
       List, modify or delete the value of the
"msDS-SupportedEncryptionTypes" attribute of an account in AD.

       This attribute allows to control which Kerberos encryption types
are used for the generation of initial and service tickets. The value
consists of an
       integer bitmask with the following values:

       0x00000001 DES-CBC-CRC

       0x00000002 DES-CBC-MD5

       0x00000004 RC4-HMAC

       0x00000008 AES128-CTS-HMAC-SHA1-96

       0x00000010 AES256-CTS-HMAC-SHA1-96

   ADS ENCTYPES LIST <ACCOUNTNAME>
       List the value of the "msDS-SupportedEncryptionTypes" attribute
of a given account.

       Example: net ads enctypes list Computername

   ADS ENCTYPES SET <ACCOUNTNAME> [enctypes]
       Set the value of the "msDS-SupportedEncryptionTypes" attribute of
the LDAP object of ACCOUNTNAME to a given value. If the value is
ommitted, the
       value is set to 31 which enables all the currently supported
encryption types.

       Example: net ads enctypes set Computername 24

   ADS ENCTYPES DELETE <ACCOUNTNAME>
       Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP
object of ACCOUNTNAME.

       Example: net ads enctypes set Computername 24


metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20150303/27112073/attachment.pgp>

More information about the cifs-protocol mailing list