changing encryption protocols after migration from samba v3 to v4

miquel miquel.comas at scytl.com
Tue Apr 30 05:58:54 MDT 2013


We are migrating samba3 to samba4, all our clients are windows7.
We have performed classicupgrade without problems, but samba only uses 
RC4 as kerberos encryption.
We have made a domain level raise to 2008_R2, but samba still uses RC4 
instead AES.

As a test we forced the use of the AES256 encryption by setting in the 
file /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py:
     result = provision(logger, session_info, None,
                        targetdir=targetdir, realm=realm, domain=domainname,
                        domainsid=str(domainsid), next_rid=next_rid,
                        dc_rid=machinerid, adminpass = adminpass,
- dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003,
+ dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2008_R2,
                        hostname=netbiosname.lower(), 
machinepass=machinepass,
                        serverrole=serverrole, samdb_fill=FILL_FULL,
                        useeadb=useeadb, dns_backend=dns_backend, 
use_rfc2307=True,
                        use_ntvfs=use_ntvfs, skip_sysvolacl=True)


And we ran the classicupgrade with that change.

This procedure works well, but is it possible to reproduce this 
behaviour if the domain was migrated?
Is the supplied patch correct? Is there any other way to do it?

If not, would it be possible - or non-aggresive - to perform again the 
classicupgrade under the samba 4 domain?
No machines have been added yet.

Thanks!


More information about the samba-technical mailing list