s3 member server to s4 kerberos trouble
lukas at dcs.qmul.ac.uk
Wed Jun 23 10:13:22 MDT 2010
On 06/21/2010 08:12 AM, Matthieu Patou wrote:
>>>>> Looking at the code
>>>>> I didn't saw much lookup to this attribute so I wonder how do we
>>>>> which encoding the requested principal support.
>>>> Correct, we need to use msDS-SupportedEncryptionTypes in kdc/db-glue.c
>>>> near where we look at UF_USE_DES_KEY_ONLY.
>>>> The trickier part is that we need to have Samba4's domain join call the
>>>> netlogon 'GetDomainInfo' call to set it's use of the full set of
>>>> encryption types (and the DNS name).
>>>> Attached is my proposed solution
>>> I'll try to give a try ;-)
>> Did it help?
> Didn't test it yet, sorry
Hi Andrew, Matthieu
Andrew i'm assuming this patch is already in the master.
s3 seems to be working correctly as a member to s4
I'm not sure if this is related but i have just noticed small oddity:
using latest master, on newly provsioned samba (without any members) it
seems like the default encryption type is ArcFour with HMAC/md5 - i.e.
for kinit Administrator at MYDOM
Valid starting Expires Service principal
06/23/10 16:24:03 06/24/10 16:24:00 krbtgt/MYDOM at MYDOM
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
however on older provision (archived around 17.06.2010) the default
encryption type is (i guess the highest available)
06/23/10 16:38:32 06/24/10 16:38:28 krbtgt/MYDOM at MYDOM
Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS
mode with 96-bit SHA-1 HMAC
is it the case now that the enctypes are capped (up to or only to)
ArcFour with HMAC/md5?
Also machine account for s3 member is missing
msDS-SupportedEncryptionTypes - i guess this is is offered by the client
during domain join rahter than requested by s4
More information about the samba-technical