Samba and legacy Windows support
Andreas Schneider
asn at samba.org
Tue Oct 8 17:42:44 UTC 2019
On Tuesday, 8 October 2019 13:05:14 CEST Stefan Metzmacher via samba-technical
wrote:
> > * Can we remove DES and 3DES Kerberos support for Samba 4.12?
>
> Yes. The question is how to store the keys.
> Is there a way to disable DES on Windows, so that we could
> check what they store in the Primary:Kerberos-Newer-Keys
> and Primary:Kerberos blobs in that case.
Windows Servers with a Domain Functional Level > 2008 do not accept DES keys
by default. RC4 keys should be present since Windows 2000. See first answer
to:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/
120efed0-10ad-4f78-821f-38def967f3c5/ad-kerberos-question
Also looking at the KDC code we don't handle DES keys, we only support RC4 and
AES. See source4/kdc/db-glue.c -> samba_kdc_message2entry_keys()
Looking at the code ENC_RSA_MD5 can be removed. We don't really do anything
with it.
> > * When can we remove RC4 support with Kerberos?
>
> I think we need to keep that, because not every account
> has aes keys, as the password might not be changed.
Ok, so we have to discuss this with Microsoft.
Andreas
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the samba-technical
mailing list