s3 member server to s4 kerberos trouble

Matthieu Patou mat at samba.org
Wed Jun 23 12:37:32 MDT 2010

On 23/06/2010 20:13, Lukasz Zalewski wrote:
> On 06/21/2010 08:12 AM, Matthieu Patou wrote:
>>>>>> Looking at the code
>>>>>> I didn't saw much lookup to this attribute so I wonder how do we
>>>>>> decide
>>>>>> which encoding the requested principal support.
>>>>> Correct, we need to use msDS-SupportedEncryptionTypes in 
>>>>> kdc/db-glue.c
>>>>> near where we look at UF_USE_DES_KEY_ONLY.
>>>>> The trickier part is that we need to have Samba4's domain join 
>>>>> call the
>>>>> netlogon 'GetDomainInfo' call to set it's use of the full set of
>>>>> encryption types (and the DNS name).
>>>>> Attached is my proposed solution
>>>> I'll try to give a try ;-)
>>> Did it help?
>> Didn't test it yet, sorry
> Hi Andrew, Matthieu
> Andrew i'm assuming this patch is already in the master.
> s3 seems to be working correctly as a member to s4
> I'm not sure if this is related but i have just noticed small oddity:
> using latest master, on newly provsioned samba (without any members) 
> it seems like the default encryption type is ArcFour with HMAC/md5 - i.e.
> for kinit Administrator at MYDOM
> Valid starting     Expires            Service principal
> 06/23/10 16:24:03  06/24/10 16:24:00  krbtgt/MYDOM at MYDOM
>     Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
> however on older provision (archived around 17.06.2010) the default 
> encryption type is (i guess the highest available)
> 06/23/10 16:38:32  06/24/10 16:38:28  krbtgt/MYDOM at MYDOM
>     Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, 
> AES-256 CTS mode with 96-bit SHA-1 HMAC
kinit on windows ?
What is the level of your provision 2008 or 2003 (by default) ?
If 2003 then it's normal AES is not activated with this level.

> is it the case now that the enctypes are capped (up to or only to) 
> ArcFour with HMAC/md5?
> Also machine account for s3 member is missing 
> msDS-SupportedEncryptionTypes - i guess this is is offered by the 
> client during domain join rahter than requested by s4
Well it's client starting from vista and Windows 2008 server that set 
this attribute to indicate to the DCs which encrypting they support. 
It's the technic used by Microsoft to understand what is supported by a 
given client.


Matthieu Patou
Samba Team        http://samba.org

More information about the samba-technical mailing list