[Samba] How to disable des and rc4 in the active directory domain controller ?

Dongsheng Song dongsheng.song at gmail.com
Sun Dec 28 05:06:49 MST 2014


On Sun, Dec 28, 2014 at 2:29 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Mon, 2014-12-22 at 16:34 +0800, Dongsheng Song wrote:
>> Hi,
>>
>> When I run 'samba-tool domain exportkeytab', I found the exported
>> keytab file include arcfour-hmac-md5, aes256-cts-hmac-sha1-96,
>> aes128-cts-hmac-sha1-96, des-cbc-md5, and des-cbc-crc. It seems that
>> modify /etc/krb5.conf no help.
>>
>> My DC running with samba 4.1.13, and the server role is active
>> directory domain controller.
>
> The 'allow_weak_keys = false' option (which is the default) in the
> krb5.conf is the tool for controlling this.   Currently this only
> disables DES, and only at runtime, not at the layer the keytab export
> uses.
>
> When we update Heimdal, we will have to be careful, as I checked
> recently and arcfour-hmac-md5 has been declared weak (as you desire),
> and this will break Windows 2003 and WinXP clients.
>
> Additionally, until Samba 4.2, we were defaulting to Windows 2003
> functional level, so haven't been storing the newer AES keys :-(
>

Then there is no way to only enable aes256-cts-hmac-sha1-96 in Samba ?


More information about the samba mailing list