changing encryption protocols after migration from samba v3 to v4

Andrew Bartlett abartlet at samba.org
Wed May 1 23:53:05 MDT 2013


On Tue, 2013-04-30 at 13:58 +0200, miquel wrote:
> We are migrating samba3 to samba4, all our clients are windows7.
> We have performed classicupgrade without problems, but samba only uses 
> RC4 as kerberos encryption.
> We have made a domain level raise to 2008_R2, but samba still uses RC4 
> instead AES.

I think this is because we would need to change the krbtgt key and
machine account to get the additional enc type.

Run source4/scripting/devel/chgtdcpass and see if that helps enough.
(it doesn't change the krbtgt however). 

> As a test we forced the use of the AES256 encryption by setting in the 
> file /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py:
>      result = provision(logger, session_info, None,
>                         targetdir=targetdir, realm=realm, domain=domainname,
>                         domainsid=str(domainsid), next_rid=next_rid,
>                         dc_rid=machinerid, adminpass = adminpass,
> - dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003,
> + dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2008_R2,
>                         hostname=netbiosname.lower(), 
> machinepass=machinepass,
>                         serverrole=serverrole, samdb_fill=FILL_FULL,
>                         useeadb=useeadb, dns_backend=dns_backend, 
> use_rfc2307=True,
>                         use_ntvfs=use_ntvfs, skip_sysvolacl=True)
> 
> 
> And we ran the classicupgrade with that change.

This looks entirely correct for a start, but I think it raises the issue
of if 2003 is still a reasonable default.  I'm thinking that for Samba
4.1, we should advance that to 2008_R2, and provide an option to the
classicupgrade just as we do for the normal provision. 

> This procedure works well, but is it possible to reproduce this 
> behaviour if the domain was migrated?
> Is the supplied patch correct? Is there any other way to do it?

Not currently, but that isn't really a good situation. 

> If not, would it be possible - or non-aggresive - to perform again the 
> classicupgrade under the samba 4 domain?

It should be OK, if none of the machines have seen the domain yet.
Indeed, my recommended testing is to perform upgrades without showing it
to joined machines (except a sacrificial laptop). 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list