AES in recent samba4
Matthieu Patou
mat+Informatique.Samba at matws.net
Mon Aug 24 16:08:44 MDT 2009
Hello andrew,
Last friday I upgraded my test environment, it has a XP, a W2K8 a s3.4
and a s4.
If I didn't get me wrong s4 should be opperating as w2k8 DC (well ADUC
tells me that my forest is at windows 2008 level,but the domain shows a
blank I think it's a display bug).
So I removed my w2k8 server out of the s4 domain, remove completely the
computer into the AD and remake it join the domain. I was hoping that
this action will generate an "AES" password.
From the first look it looks like samba is using AES every times, it
seems that it is just understanding AES.
For instance in the attached capture we can see at frame 22 that w2k8 is
sending a timestamp encoded with aes256-cts...and in frame 25 s4 is
replying with something encrypted with AES as well.
I was about to celebrate this when I realized that the ticket in frame
is encrypted with rc4 even if in the AS request w2k8 specified different
aes as supported encryption scheme.
Concerning windows 2008 I didn't noticed any ldap request for modifying
msDS-SupportedEncryptionTypes.
It doesn't mean that hidden somewhere in some other RPC call it's not
indicated but it's not likely to happen.
For this we have three possibilities:
* either S4 is not pretending to be windows2008 good enough for the
client to sent a request for adding/updating msDS-SupportedEncryptionTypes
* either Windows 2008 when server sets this parameter in another way (ie
if os.version >=6.0 ...)
* either Windows 2008 as a client didn't try to modify this attribute
I'll try to get more explaination for MS on the latest pb for the first
one let me know.
Matthieu.
More information about the samba-technical
mailing list