changing encryption protocols after migration from samba v3 to v4

miquel miquel.comas at scytl.com
Mon May 6 03:54:13 MDT 2013


thanks, now all uses AES256

El 02/05/13 07:53, Andrew Bartlett escribió:
> On Tue, 2013-04-30 at 13:58 +0200, miquel wrote:
>> We are migrating samba3 to samba4, all our clients are windows7.
>> We have performed classicupgrade without problems, but samba only uses
>> RC4 as kerberos encryption.
>> We have made a domain level raise to 2008_R2, but samba still uses RC4
>> instead AES.
> I think this is because we would need to change the krbtgt key and
> machine account to get the additional enc type.
>
> Run source4/scripting/devel/chgtdcpass and see if that helps enough.
> (it doesn't change the krbtgt however).
>
>> As a test we forced the use of the AES256 encryption by setting in the
>> file /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py:
>>       result = provision(logger, session_info, None,
>>                          targetdir=targetdir, realm=realm, domain=domainname,
>>                          domainsid=str(domainsid), next_rid=next_rid,
>>                          dc_rid=machinerid, adminpass = adminpass,
>> - dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003,
>> + dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2008_R2,
>>                          hostname=netbiosname.lower(),
>> machinepass=machinepass,
>>                          serverrole=serverrole, samdb_fill=FILL_FULL,
>>                          useeadb=useeadb, dns_backend=dns_backend,
>> use_rfc2307=True,
>>                          use_ntvfs=use_ntvfs, skip_sysvolacl=True)
>>
>>
>> And we ran the classicupgrade with that change.
> This looks entirely correct for a start, but I think it raises the issue
> of if 2003 is still a reasonable default.  I'm thinking that for Samba
> 4.1, we should advance that to 2008_R2, and provide an option to the
> classicupgrade just as we do for the normal provision.
>
>> This procedure works well, but is it possible to reproduce this
>> behaviour if the domain was migrated?
>> Is the supplied patch correct? Is there any other way to do it?
> Not currently, but that isn't really a good situation.
>
>> If not, would it be possible - or non-aggresive - to perform again the
>> classicupgrade under the samba 4 domain?
> It should be OK, if none of the machines have seen the domain yet.
> Indeed, my recommended testing is to perform upgrades without showing it
> to joined machines (except a sacrificial laptop).
>
> Andrew Bartlett
>


-- 
Miquel Comas Martí
Director of Systems Engineering
Scytl Secure Electronic Voting
Gal·la Placídia 1-3, 1st floor
08006 Barcelona
Phone: + 34 934 230 324
Fax: + 34 933 251 028
http://www.scytl.com

NOTICE: The information in this e-mail and in any of its attachments is
confidential and intended solely for the attention and use of the named
addressee(s). If you are not the intended recipient, any disclosure, copying,
distribution or retaining of this message or any part of it, without the prior
written consent of Scytl Secure Electronic Voting, SA is prohibited and may be
unlawful. If you have received this in error, please contact the sender and
delete the material from any computer.



More information about the samba-technical mailing list