Samba and legacy Windows support

Stefan Metzmacher metze at samba.org
Tue Oct 8 18:25:39 UTC 2019


Am 08.10.19 um 19:42 schrieb Andreas Schneider via samba-technical:
> On Tuesday, 8 October 2019 13:05:14 CEST Stefan Metzmacher via samba-technical 
> wrote:
>>> * Can we remove DES and 3DES Kerberos support for Samba 4.12?
>>
>> Yes. The question is how to store the keys.
>> Is there a way to disable DES on Windows, so that we could
>> check what they store in the Primary:Kerberos-Newer-Keys
>> and Primary:Kerberos blobs in that case.
> 
> Windows Servers with a Domain Functional Level > 2008 do not accept DES keys 
> by default. RC4 keys should be present since Windows 2000. See first answer 
> to:
> 
> https://social.technet.microsoft.com/Forums/windowsserver/en-US/
> 120efed0-10ad-4f78-821f-38def967f3c5/ad-kerberos-question
>  
> Also looking at the KDC code we don't handle DES keys, we only support RC4 and 
> AES. See source4/kdc/db-glue.c -> samba_kdc_message2entry_keys()
> 
> Looking at the code ENC_RSA_MD5 can be removed. We don't really do anything 
> with it.

kerberos_enctype_to_bitmap() handles it and we just take what we found
in pkb4->keys[i].value or pkb3->keys[i].value.

But just skipping the keys there and in gssapi is fine.

I'm just worried about the records in our database.

We had the problem before that we stored something that was unexpected
for a Windows DC and it crashed after replicating password changes from us.

>>> * When can we remove RC4 support with Kerberos?
>>
>> I think we need to keep that, because not every account
>> has aes keys, as the password might not be changed.
> 
> Ok, so we have to discuss this with Microsoft.

Maybe we could start with a special auditing warning for accounts
only having an nthash.

And also hide the nthash if aes keys are available.

For service accounts we may be able to just expose the
highest available keytype.

metze




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20191008/1042e134/signature.sig>


More information about the samba-technical mailing list