AES in recent samba4

Matthieu Patou mat+Informatique.Samba at
Mon Aug 24 16:08:44 MDT 2009

Hello andrew,

Last friday I upgraded my test environment, it has a XP, a W2K8 a s3.4 
and a s4.

If I didn't get me wrong s4 should be opperating as w2k8 DC (well ADUC 
tells me that my forest is at windows 2008 level,but the domain shows a 
blank I think it's a display bug).

So I removed my w2k8 server out of the s4 domain, remove completely the 
computer into the AD and remake it join the domain. I was hoping that 
this action will generate an "AES" password.

 From the first look it looks like samba is using AES every times, it 
seems that it is just understanding AES.
For instance in the attached capture we can see at frame 22 that w2k8 is 
sending a timestamp encoded with aes256-cts...and in frame 25 s4 is 
replying with something encrypted with AES as well.

I was about to celebrate this when I realized that the ticket in frame 
is encrypted with rc4 even if in the AS request w2k8 specified different 
aes as supported encryption scheme.

Concerning windows 2008 I didn't noticed any ldap request for modifying 
It doesn't mean that hidden somewhere in some other RPC call it's not 
indicated but it's not likely to happen.

For this we have three possibilities:
* either S4 is not pretending to be windows2008 good enough for the 
client to sent a request for adding/updating msDS-SupportedEncryptionTypes
* either Windows 2008 when server sets this parameter in another way (ie 
if os.version >=6.0 ...)
* either Windows 2008 as a client didn't try to modify this attribute

I'll try to get more explaination for MS on the latest pb for the first 
one let me know.


More information about the samba-technical mailing list