[Samba] Samba 4 DC - no AES kerberos tickets - only arcfour

[Trever L. Adams]

On 08/18/2015 02:28 PM, Ritter, Marcel (RRZE) wrote:
> Hi,
>
> I’ve been running a samba 4 DC for quite some time now, and while testing some kerberos related stuff, I noticed that all kerberos tickets I can get from the DC are of encryption type ?arcfour-hmac-md5“:
>
> # kinit testuser1
>   testuser1 at S4DOM.TEST's Password:
>
> # klist -v
>   Credentials cache: FILE:/tmp/krb5cc_0
>   Ticket etype: arcfour-hmac-md5, kvno 1
>
> I can create keytabs containing aes128/aes256 keys (besides the arcfour ones), but if I’m trying to use them (e.g. for NFS client/server) the ccache files only report usage of ?arcfour-hmac-md5“.
>
> Trying to remove non-aes keys from keytab, or limiting supported types will result in an error like this:
>
> # kinit -e aes256-cts-hmac-sha1-96 Administrator
>    Administrator at S4DOM.TEST's Password: 
>    kinit: krb5_get_init_creds: KDC has no support for encryption type
>
> # kinit -e arcfour-hmac-md5 Administrator
>    Administrator at S4DOM.TEST's Password:
> ⇒ Succeeds, with arcfour ticket
>
> This looks like the samba 4 DC does not offer AES encryption types at all.
>
> So I tried to raise the function level (if i recall correctly AES should be enabled with 2008 R2), however the behaviour stays the same.
>
> # samba-tool domain level raise --forest-level 2008_R2 --domain-level 2008_R2
>
> I've reproduced this with Ubuntu 14.04.3 / Samba 4.1.6, but also with a current samba.git-Checkout - no difference so far.
>
> What am I missing here?
> Do I need to take some extra steps after the domain level raise to use AES?
>
> Bye,
>    Marcel
>
I recently had this problem. Have users change their passwords.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20150818/f8a05c24/signature.sig>