samba domain member "net ads keytab" syntax - encryption types
Robert Freeman-Day
presgas at gmail.com
Tue Feb 22 08:06:04 MST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/22/2011 01:54 AM, Andrew Bartlett wrote:
> On Fri, 2011-02-18 at 12:34 -0500, Robert Freeman-Day wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hello,
>>
>> I am working with integrating various Linux distros as domain members
>> with an Active Directory Domain running on Windows Server 2008 R2 native.
>>
>> The Domain admins have allowed des keys for backwards (nfs)
>> compatibility, but prefers the default enctypes supported in 2008 r2:
>> http://support.microsoft.com/kb/977321
>> * AES256-CTS-HMAC-SHA1-96
>> * AES128-CTS-HMAC-SHA1-96
>> * RC4-HMAC
>>
>> I would like to allow the Domain Members to work with their own keytabs
>> via the "net ads keytab" command set but have found that the default
>> (i.e. "net ads keytab create -P" or "net ads keytab add HTTP -P") only
>> creates the two des and ArcFour with HMAC/md5 enctypes, no AES enctypes
>> are listed. The Domain admins can use tools on their side to create
>> SPNs and keytabs that have AES and we would prefer them over DES/ArcFour
>> except in special circumstances.:
>
> The Samba3 Kerberos code does not understand AES, and so we restrict the
> list.
>
> The Samba Team is actively trying to unify the authentication subsystems
> which handle this area between Samba3 and Samba4, and we hope to support
> this across the whole codebase in the future.
>
> Andrew Bartlett
>
Thanks for the reply, Andrew,
So, if they are restricted, is there a way to restrict further? For
example, only using RC4-HMAC enctypes? Any "net" syntax tweaks for the
keytab set?
Robert
- --
________
Robert Freeman-Day
https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk1j0NwACgkQup357T5MfTYB3wCfYWpXgIcfxEEVcCx2CkH+MWK9
b/QAoM805ncJ9NOXlFu82VIfTO9+7W6h
=ytgt
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list