[Samba] How to disable des and rc4 in the active directory domain controller ?

Andrew Bartlett abartlet at samba.org
Sat Dec 27 23:29:25 MST 2014

On Mon, 2014-12-22 at 16:34 +0800, Dongsheng Song wrote:
> Hi,
> When I run 'samba-tool domain exportkeytab', I found the exported
> keytab file include arcfour-hmac-md5, aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, des-cbc-md5, and des-cbc-crc. It seems that
> modify /etc/krb5.conf no help.
> My DC running with samba 4.1.13, and the server role is active
> directory domain controller.

The 'allow_weak_keys = false' option (which is the default) in the
krb5.conf is the tool for controlling this.   Currently this only
disables DES, and only at runtime, not at the layer the keytab export

When we update Heimdal, we will have to be careful, as I checked
recently and arcfour-hmac-md5 has been declared weak (as you desire),
and this will break Windows 2003 and WinXP clients.  

Additionally, until Samba 4.2, we were defaulting to Windows 2003
functional level, so haven't been storing the newer AES keys :-(

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list