samba domain member "net ads keytab" syntax - encryption types

Andrew Bartlett abartlet at samba.org
Wed Feb 23 13:43:57 MST 2011 

On Tue, 2011-02-22 at 10:06 -0500, Robert Freeman-Day wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 02/22/2011 01:54 AM, Andrew Bartlett wrote:
> > On Fri, 2011-02-18 at 12:34 -0500, Robert Freeman-Day wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Hello,
> >>
> >> I am working with integrating various Linux distros as domain members
> >> with an Active Directory Domain running on Windows Server 2008 R2 native.
> >>
> >> The Domain admins have allowed des keys for backwards (nfs)
> >> compatibility, but prefers the default enctypes supported in 2008 r2:
> >> http://support.microsoft.com/kb/977321
> >>     * AES256-CTS-HMAC-SHA1-96
> >>     * AES128-CTS-HMAC-SHA1-96
> >>     * RC4-HMAC
> >>
> >> I would like to allow the Domain Members to work with their own keytabs
> >> via the "net ads keytab" command set but have found that the default
> >> (i.e. "net ads keytab create -P" or "net ads keytab add HTTP -P") only
> >> creates the two des and ArcFour with HMAC/md5 enctypes, no AES enctypes
> >> are listed.  The Domain admins can use tools on their side to create
> >> SPNs and keytabs that have AES and we would prefer them over DES/ArcFour
> >> except in special circumstances.:
> > 
> > The Samba3 Kerberos code does not understand AES, and so we restrict the
> > list.  
> > 
> > The Samba Team is actively trying to unify the authentication subsystems
> > which handle this area between Samba3 and Samba4, and we hope to support
> > this across the whole codebase in the future. 
> > 
> > Andrew Bartlett
> > 
> 
> Thanks for the reply, Andrew,
> 
> So, if they are restricted, is there a way to restrict further?  For
> example, only using RC4-HMAC enctypes?  Any "net" syntax tweaks for the
> keytab set?

That's a very interesting question.  The best way to restrict that may
simply be to remove them later.  I'm pretty sure the KDC will not issue
DES tickets unless it thinks they are the only supported option. 

Windows 2008 no longer does the DES thing, and modern kerberos libs on
the clients similarly simply refuse to honour the crypto type, because
as your administrators fear, it is just too weak for modern use. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

More information about the samba-technical mailing list