s3 member server to s4 kerberos trouble
Lukasz Zalewski
lukas at dcs.qmul.ac.uk
Wed Jun 23 12:43:00 MDT 2010
On 23/06/2010 19:37, Matthieu Patou wrote:
> On 23/06/2010 20:13, Lukasz Zalewski wrote:
>> On 06/21/2010 08:12 AM, Matthieu Patou wrote:
>>>
>>>>>>
>>>>>>> Looking at the code
>>>>>>> I didn't saw much lookup to this attribute so I wonder how do we
>>>>>>> decide
>>>>>>> which encoding the requested principal support.
>>>>>>>
>>>>>> Correct, we need to use msDS-SupportedEncryptionTypes in
>>>>>> kdc/db-glue.c
>>>>>> near where we look at UF_USE_DES_KEY_ONLY.
>>>>>>
>>>>>> The trickier part is that we need to have Samba4's domain join
>>>>>> call the
>>>>>> netlogon 'GetDomainInfo' call to set it's use of the full set of
>>>>>> encryption types (and the DNS name).
>>>>>>
>>>>>> Attached is my proposed solution
>>>>> I'll try to give a try ;-)
>>>>>
>>>> Did it help?
>>>>
>>> Didn't test it yet, sorry
>>>
>>
>> Hi Andrew, Matthieu
>> Andrew i'm assuming this patch is already in the master.
>> s3 seems to be working correctly as a member to s4
>>
>> I'm not sure if this is related but i have just noticed small oddity:
>> using latest master, on newly provsioned samba (without any members)
>> it seems like the default encryption type is ArcFour with HMAC/md5 - i.e.
>> for kinit Administrator at MYDOM
>>
>> Valid starting Expires Service principal
>> 06/23/10 16:24:03 06/24/10 16:24:00 krbtgt/MYDOM at MYDOM
>> Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
>>
>> however on older provision (archived around 17.06.2010) the default
>> encryption type is (i guess the highest available)
>> 06/23/10 16:38:32 06/24/10 16:38:28 krbtgt/MYDOM at MYDOM
>> Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256
>> CTS mode with 96-bit SHA-1 HMAC
>>
> kinit on windows ?
> What is the level of your provision 2008 or 2003 (by default) ?
> If 2003 then it's normal AES is not activated with this level.
Its kinit on linux (s4 host) and both provisions are 2008
>
>> is it the case now that the enctypes are capped (up to or only to)
>> ArcFour with HMAC/md5?
>>
>> Also machine account for s3 member is missing
>> msDS-SupportedEncryptionTypes - i guess this is is offered by the
>> client during domain join rahter than requested by s4
> Well it's client starting from vista and Windows 2008 server that set
> this attribute to indicate to the DCs which encrypting they support.
> It's the technic used by Microsoft to understand what is supported by a
> given client.
>
> Matthieu.
>
More information about the samba-technical
mailing list