Samba-3.0.7-1.3E Active Directory Issues

[Nalin Dahyabhai]

On Wed, Oct 27, 2004 at 11:32:16AM -0700, Doug VanLeuven wrote:
> Good to have this patch for samba interop, but I doubt unix command line 
> utilities using DES can be made to interoperate with a MS KDC 2000 or 
> 2003 server.

It may not be quite that bad.  The application server and the KDC do
have to agree on the application server's key, but the client isn't
expected to be able to decrypt things with that key.  It doesn't even
have to know how to encrypt things with that key, which places the
entire interoperability burden on the application server and the KDC.

A client can't dictate what kind of key the KDC will use to encrypt data
meant for an application server.  Unix-based KDCs can check which types
of keys they have on-hand for the service principal to determine which
kind of keys to use, and AD consults the userAccountControl attribute of
the computer account to see if it needs to use DES for the application
server, otherwise it seems to choose RC4.

The "net" command requests credentials from the KDC to guess at the
right key.  If a computer's account is flagged as needing DES, the
client will receive credentials from the KDC which are encrypted using
DES, and it can attempt to decrypt them with various keys until it hits
on one which works.  Don't worry, this isn't a brute-force attack, it's
more like guessing which key on a large-but-manageable chain is right
for a given door, when it's still possible that none are.

But if the computer account is not flagged as requiring DES, then the
KDC's preference for RC4 will ensure that the incorrect DES keys in the
keytab are never used by the application server.

Nalin