samba domain member "net ads keytab" syntax - encryption types
Andrew Bartlett
abartlet at samba.org
Mon Feb 21 23:54:17 MST 2011
On Fri, 2011-02-18 at 12:34 -0500, Robert Freeman-Day wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> I am working with integrating various Linux distros as domain members
> with an Active Directory Domain running on Windows Server 2008 R2 native.
>
> The Domain admins have allowed des keys for backwards (nfs)
> compatibility, but prefers the default enctypes supported in 2008 r2:
> http://support.microsoft.com/kb/977321
> * AES256-CTS-HMAC-SHA1-96
> * AES128-CTS-HMAC-SHA1-96
> * RC4-HMAC
>
> I would like to allow the Domain Members to work with their own keytabs
> via the "net ads keytab" command set but have found that the default
> (i.e. "net ads keytab create -P" or "net ads keytab add HTTP -P") only
> creates the two des and ArcFour with HMAC/md5 enctypes, no AES enctypes
> are listed. The Domain admins can use tools on their side to create
> SPNs and keytabs that have AES and we would prefer them over DES/ArcFour
> except in special circumstances.:
The Samba3 Kerberos code does not understand AES, and so we restrict the
list.
The Samba Team is actively trying to unify the authentication subsystems
which handle this area between Samba3 and Samba4, and we hope to support
this across the whole codebase in the future.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
More information about the samba-technical
mailing list