[Samba] Samba 4 DC - no AES kerberos tickets - only arcfour
Ritter, Marcel (RRZE)
marcel.ritter at fau.de
Tue Aug 18 20:28:40 UTC 2015
Hi,
I’ve been running a samba 4 DC for quite some time now, and while testing some kerberos related stuff, I noticed that all kerberos tickets I can get from the DC are of encryption type ?arcfour-hmac-md5“:
# kinit testuser1
testuser1 at S4DOM.TEST's Password:
# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
Ticket etype: arcfour-hmac-md5, kvno 1
I can create keytabs containing aes128/aes256 keys (besides the arcfour ones), but if I’m trying to use them (e.g. for NFS client/server) the ccache files only report usage of ?arcfour-hmac-md5“.
Trying to remove non-aes keys from keytab, or limiting supported types will result in an error like this:
# kinit -e aes256-cts-hmac-sha1-96 Administrator
Administrator at S4DOM.TEST's Password:
kinit: krb5_get_init_creds: KDC has no support for encryption type
# kinit -e arcfour-hmac-md5 Administrator
Administrator at S4DOM.TEST's Password:
⇒ Succeeds, with arcfour ticket
This looks like the samba 4 DC does not offer AES encryption types at all.
So I tried to raise the function level (if i recall correctly AES should be enabled with 2008 R2), however the behaviour stays the same.
# samba-tool domain level raise --forest-level 2008_R2 --domain-level 2008_R2
I've reproduced this with Ubuntu 14.04.3 / Samba 4.1.6, but also with a current samba.git-Checkout - no difference so far.
What am I missing here?
Do I need to take some extra steps after the domain level raise to use AES?
Bye,
Marcel
More information about the samba
mailing list