s3 member server to s4 kerberos trouble

[Lukasz Zalewski]

On 06/29/2010 08:34 AM, Andrew Bartlett wrote:
> On Thu, 2010-06-24 at 10:25 +1000, Andrew Bartlett wrote:
>> On Wed, 2010-06-23 at 17:13 +0100, Lukasz Zalewski wrote:
>>> On 06/21/2010 08:12 AM, Matthieu Patou wrote:
>>>>
>>>>>>>
>>>>>>>> Looking at the code
>>>>>>>> I didn't saw much lookup to this attribute so I wonder how do we
>>>>>>>> decide
>>>>>>>> which encoding the requested principal support.
>>>>>>>>
>>>>>>> Correct, we need to use msDS-SupportedEncryptionTypes in kdc/db-glue.c
>>>>>>> near where we look at UF_USE_DES_KEY_ONLY.
>>>>>>>
>>>>>>> The trickier part is that we need to have Samba4's domain join call the
>>>>>>> netlogon 'GetDomainInfo' call to set it's use of the full set of
>>>>>>> encryption types (and the DNS name).
>>>>>>>
>>>>>>> Attached is my proposed solution
>>>>>> I'll try to give a try ;-)
>>>>>>
>>>>> Did it help?
>>>>>
>>>> Didn't test it yet, sorry
>>>>
>>>
>>> Hi Andrew, Matthieu
>>> Andrew i'm assuming this patch is already in the master.
>>> s3 seems to be working correctly as a member to s4
>>>
>>> I'm not sure if this is related but i have just noticed small oddity:
>>> using latest master, on newly provsioned samba (without any members) it
>>> seems like the default encryption type is ArcFour with HMAC/md5 - i.e.
>>> for kinit Administrator at MYDOM
>>
>> Well spotted!
>>
>> I'm trying another patch - the last one wasn't really tested very well.
>
> Lukasz,
>
> Can you try again with current master?  I've done a lot to rework this
> area, and it should not correctly honour this attribute.
>
> Andrew Bartlett
>

Hi Andrew,
This seems to fix the problem :)
now the default encryption type on Linux (s4host) is
AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit 
SHA-1 HMAC
Also all of the keys issued to the user on Windows are of the above form,
except the cifs/s3host key which is ArcFour with HMAC/md5

Regards

Luk