[cifs-protocol] Kerberos kinit failures since Nov 2022 patch
Andrew Bartlett
abartlet at samba.org
Wed Nov 9 03:37:05 UTC 2022
Related but separate to 2211090040000278
We are running Windows 2019 with the Nov 2022 patches.
KrbtgtFullPacSignature has been set to 3 but we see the same behaviour
at 0.
We create an account using Windows ADUC then set this account supports
AES128 and AES 256 in 'account options'.
With these values set, being 0x18 is msDS-SupportedEncryptionTypes, it
is no longer possible to kinit to this account, even when the Kerberos
client supports AES, and even if the kerberos client does not propose.
However, if we add the RC4 bit then it works, but given the security
release is about disabling RC4 we are trying to avoid that.
We can supply network traces etc, please provide the link.
Thanks,
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the cifs-protocol
mailing list