s3 member server to s4 kerberos trouble

Lukasz Zalewski lukas at dcs.qmul.ac.uk
Wed Jun 23 10:13:22 MDT 2010

On 06/21/2010 08:12 AM, Matthieu Patou wrote:
>>>>> Looking at the code
>>>>> I didn't saw much lookup to this attribute so I wonder how do we
>>>>> decide
>>>>> which encoding the requested principal support.
>>>> Correct, we need to use msDS-SupportedEncryptionTypes in kdc/db-glue.c
>>>> near where we look at UF_USE_DES_KEY_ONLY.
>>>> The trickier part is that we need to have Samba4's domain join call the
>>>> netlogon 'GetDomainInfo' call to set it's use of the full set of
>>>> encryption types (and the DNS name).
>>>> Attached is my proposed solution
>>> I'll try to give a try ;-)
>> Did it help?
> Didn't test it yet, sorry

Hi Andrew, Matthieu
Andrew i'm assuming this patch is already in the master.
s3 seems to be working correctly as a member to s4

I'm not sure if this is related but i have just noticed small oddity:
using latest master, on newly provsioned samba (without any members) it 
seems like the default encryption type is ArcFour with HMAC/md5 - i.e.
for kinit Administrator at MYDOM

Valid starting     Expires            Service principal
06/23/10 16:24:03  06/24/10 16:24:00  krbtgt/MYDOM at MYDOM
	Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

however on older provision (archived around 17.06.2010) the default 
encryption type is (i guess the highest available)
06/23/10 16:38:32  06/24/10 16:38:28  krbtgt/MYDOM at MYDOM
	Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS 
mode with 96-bit SHA-1 HMAC

is it the case now that the enctypes are capped (up to or only to) 
ArcFour with HMAC/md5?

Also machine account for s3 member is missing 
msDS-SupportedEncryptionTypes - i guess this is is offered by the client 
during domain join rahter than requested by s4



More information about the samba-technical mailing list