[Samba] Samba 4 DC - no AES kerberos tickets - only arcfour

Ritter, Marcel (RRZE) marcel.ritter at fau.de
Tue Aug 18 20:28:40 UTC 2015


I’ve been running a samba 4 DC for quite some time now, and while testing some kerberos related stuff, I noticed that all kerberos tickets I can get from the DC are of encryption type ?arcfour-hmac-md5“:

# kinit testuser1
  testuser1 at S4DOM.TEST's Password:

# klist -v
  Credentials cache: FILE:/tmp/krb5cc_0
  Ticket etype: arcfour-hmac-md5, kvno 1

I can create keytabs containing aes128/aes256 keys (besides the arcfour ones), but if I’m trying to use them (e.g. for NFS client/server) the ccache files only report usage of ?arcfour-hmac-md5“.

Trying to remove non-aes keys from keytab, or limiting supported types will result in an error like this:

# kinit -e aes256-cts-hmac-sha1-96 Administrator
   Administrator at S4DOM.TEST's Password: 
   kinit: krb5_get_init_creds: KDC has no support for encryption type

# kinit -e arcfour-hmac-md5 Administrator
   Administrator at S4DOM.TEST's Password:
⇒ Succeeds, with arcfour ticket

This looks like the samba 4 DC does not offer AES encryption types at all.

So I tried to raise the function level (if i recall correctly AES should be enabled with 2008 R2), however the behaviour stays the same.

# samba-tool domain level raise --forest-level 2008_R2 --domain-level 2008_R2

I've reproduced this with Ubuntu 14.04.3 / Samba 4.1.6, but also with a current samba.git-Checkout - no difference so far.

What am I missing here?
Do I need to take some extra steps after the domain level raise to use AES?


More information about the samba mailing list