[Samba] How to disable des and rc4 in the active directory domain controller ?
Andrew Bartlett
abartlet at samba.org
Sat Dec 27 23:29:25 MST 2014
On Mon, 2014-12-22 at 16:34 +0800, Dongsheng Song wrote:
> Hi,
>
> When I run 'samba-tool domain exportkeytab', I found the exported
> keytab file include arcfour-hmac-md5, aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, des-cbc-md5, and des-cbc-crc. It seems that
> modify /etc/krb5.conf no help.
>
> My DC running with samba 4.1.13, and the server role is active
> directory domain controller.
The 'allow_weak_keys = false' option (which is the default) in the
krb5.conf is the tool for controlling this. Currently this only
disables DES, and only at runtime, not at the layer the keytab export
uses.
When we update Heimdal, we will have to be careful, as I checked
recently and arcfour-hmac-md5 has been declared weak (as you desire),
and this will break Windows 2003 and WinXP clients.
Additionally, until Samba 4.2, we were defaulting to Windows 2003
functional level, so haven't been storing the newer AES keys :-(
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list