Samba and legacy Windows support

Andreas Schneider asn at
Tue Oct 8 17:42:44 UTC 2019

On Tuesday, 8 October 2019 13:05:14 CEST Stefan Metzmacher via samba-technical 
> > * Can we remove DES and 3DES Kerberos support for Samba 4.12?
> Yes. The question is how to store the keys.
> Is there a way to disable DES on Windows, so that we could
> check what they store in the Primary:Kerberos-Newer-Keys
> and Primary:Kerberos blobs in that case.

Windows Servers with a Domain Functional Level > 2008 do not accept DES keys 
by default. RC4 keys should be present since Windows 2000. See first answer 
Also looking at the KDC code we don't handle DES keys, we only support RC4 and 
AES. See source4/kdc/db-glue.c -> samba_kdc_message2entry_keys()

Looking at the code ENC_RSA_MD5 can be removed. We don't really do anything 
with it.

> > * When can we remove RC4 support with Kerberos?
> I think we need to keep that, because not every account
> has aes keys, as the password might not be changed.

Ok, so we have to discuss this with Microsoft.


Andreas Schneider                      asn at
Samba Team                   
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list