s3 member server to s4 kerberos trouble

Lukasz Zalewski lukas at dcs.qmul.ac.uk
Wed Jun 23 13:04:03 MDT 2010


On 23/06/2010 19:47, Matthieu Patou wrote:
>
>>>> I'm not sure if this is related but i have just noticed small oddity:
>>>> using latest master, on newly provsioned samba (without any members)
>>>> it seems like the default encryption type is ArcFour with HMAC/md5 -
>>>> i.e.
>>>> for kinit Administrator at MYDOM
>>>>
>>>> Valid starting Expires Service principal
>>>> 06/23/10 16:24:03 06/24/10 16:24:00 krbtgt/MYDOM at MYDOM
>>>> Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
>>>>
>>>> however on older provision (archived around 17.06.2010) the default
>>>> encryption type is (i guess the highest available)
>>>> 06/23/10 16:38:32 06/24/10 16:38:28 krbtgt/MYDOM at MYDOM
>>>> Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256
>>>> CTS mode with 96-bit SHA-1 HMAC
>>>>
>>> kinit on windows ?
>>> What is the level of your provision 2008 or 2003 (by default) ?
>>> If 2003 then it's normal AES is not activated with this level.
>> Its kinit on linux (s4 host) and both provisions are 2008
> Same linux ?
> can you send the content of the /etc/krb5.conf ?

Same linux in both cases,
here is krb5.conf:

[libdefaults]
         default_realm = MY.DOMAIN
         dns_lookup_realm = false
         dns_lookup_kdc = false
         ticket_lifetime = 24h
         forwardable = yes

[realms]
         MY.DOMAIN = {
                 kdc = s4host.my.domain:88
                 admin_server = s4host.my.domain:749
                 default_domain = my.domain
         }

[domain_realm]
         .my.domain = MY.DOMAIN
         my.domain = MY.DOMAIN

and in both cases the krb5.conf are identical


More information about the samba-technical mailing list