s3 member server to s4 kerberos trouble
Lukasz Zalewski
lukas at dcs.qmul.ac.uk
Wed Jun 23 13:04:03 MDT 2010
On 23/06/2010 19:47, Matthieu Patou wrote:
>
>>>> I'm not sure if this is related but i have just noticed small oddity:
>>>> using latest master, on newly provsioned samba (without any members)
>>>> it seems like the default encryption type is ArcFour with HMAC/md5 -
>>>> i.e.
>>>> for kinit Administrator at MYDOM
>>>>
>>>> Valid starting Expires Service principal
>>>> 06/23/10 16:24:03 06/24/10 16:24:00 krbtgt/MYDOM at MYDOM
>>>> Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
>>>>
>>>> however on older provision (archived around 17.06.2010) the default
>>>> encryption type is (i guess the highest available)
>>>> 06/23/10 16:38:32 06/24/10 16:38:28 krbtgt/MYDOM at MYDOM
>>>> Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256
>>>> CTS mode with 96-bit SHA-1 HMAC
>>>>
>>> kinit on windows ?
>>> What is the level of your provision 2008 or 2003 (by default) ?
>>> If 2003 then it's normal AES is not activated with this level.
>> Its kinit on linux (s4 host) and both provisions are 2008
> Same linux ?
> can you send the content of the /etc/krb5.conf ?
Same linux in both cases,
here is krb5.conf:
[libdefaults]
default_realm = MY.DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MY.DOMAIN = {
kdc = s4host.my.domain:88
admin_server = s4host.my.domain:749
default_domain = my.domain
}
[domain_realm]
.my.domain = MY.DOMAIN
my.domain = MY.DOMAIN
and in both cases the krb5.conf are identical
More information about the samba-technical
mailing list