AES in recent samba4

Matthieu Patou mat+Informatique.Samba at matws.net
Tue Aug 25 00:16:43 MDT 2009


With the capture attached :-)

On 08/25/2009 02:08 AM, Matthieu Patou wrote:
> Hello andrew,
>
> Last friday I upgraded my test environment, it has a XP, a W2K8 a s3.4
> and a s4.
>
> If I didn't get me wrong s4 should be opperating as w2k8 DC (well ADUC
> tells me that my forest is at windows 2008 level,but the domain shows a
> blank I think it's a display bug).
>
> So I removed my w2k8 server out of the s4 domain, remove completely the
> computer into the AD and remake it join the domain. I was hoping that
> this action will generate an "AES" password.
>
>  From the first look it looks like samba is using AES every times, it
> seems that it is just understanding AES.
> For instance in the attached capture we can see at frame 22 that w2k8 is
> sending a timestamp encoded with aes256-cts...and in frame 25 s4 is
> replying with something encrypted with AES as well.
>
> I was about to celebrate this when I realized that the ticket in frame
> is encrypted with rc4 even if in the AS request w2k8 specified different
> aes as supported encryption scheme.
>
>
> Concerning windows 2008 I didn't noticed any ldap request for modifying
> msDS-SupportedEncryptionTypes.
> It doesn't mean that hidden somewhere in some other RPC call it's not
> indicated but it's not likely to happen.
>
> For this we have three possibilities:
> * either S4 is not pretending to be windows2008 good enough for the
> client to sent a request for adding/updating msDS-SupportedEncryptionTypes
> * either Windows 2008 when server sets this parameter in another way (ie
> if os.version >=6.0 ...)
> * either Windows 2008 as a client didn't try to modify this attribute
>
>
> I'll try to get more explaination for MS on the latest pb for the first
> one let me know.
>
> Matthieu.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smb4.tst.keytabs3
Type: application/octet-stream
Size: 2372 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090825/6fe6981a/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: w2k8_s4_aes_kerberos_2.bz2
Type: application/x-bzip
Size: 23997 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090825/6fe6981a/attachment.bin>


More information about the samba-technical mailing list