[Samba] How to disable des and rc4 in the active directory domain controller ?

[Andrew Bartlett]

On Sun, 2014-12-28 at 20:06 +0800, Dongsheng Song wrote:
> On Sun, Dec 28, 2014 at 2:29 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> > On Mon, 2014-12-22 at 16:34 +0800, Dongsheng Song wrote:
> >> Hi,
> >>
> >> When I run 'samba-tool domain exportkeytab', I found the exported
> >> keytab file include arcfour-hmac-md5, aes256-cts-hmac-sha1-96,
> >> aes128-cts-hmac-sha1-96, des-cbc-md5, and des-cbc-crc. It seems that
> >> modify /etc/krb5.conf no help.
> >>
> >> My DC running with samba 4.1.13, and the server role is active
> >> directory domain controller.
> >
> > The 'allow_weak_keys = false' option (which is the default) in the
> > krb5.conf is the tool for controlling this.   Currently this only
> > disables DES, and only at runtime, not at the layer the keytab export
> > uses.
> >
> > When we update Heimdal, we will have to be careful, as I checked
> > recently and arcfour-hmac-md5 has been declared weak (as you desire),
> > and this will break Windows 2003 and WinXP clients.
> >
> > Additionally, until Samba 4.2, we were defaulting to Windows 2003
> > functional level, so haven't been storing the newer AES keys :-(
> >
> 
> Then there is no way to only enable aes256-cts-hmac-sha1-96 in Samba ?

Not currently, and frankly I think NTLM (in particular, but even NTLMv2)
is by far the weaker point.  In the meantime, clients will negotiate the
best grade security they can, so ensure you provisioned in 2008R2
functional level, and force NTLMv2 as the only acceptable NTLM mech with
'ntlm auth = false' in the smb.conf.

However, someone was to taken on the significant task of an upgrade to
2012R2 functional level, that includes hardening of services to AES
only.  

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba