[Samba] Samba 4 DC - no AES kerberos tickets - only arcfour

Ritter, Marcel (RRZE) marcel.ritter at fau.de
Wed Aug 19 06:02:05 UTC 2015

Hi Trever,

things improved after resetting user/machine passwords, however only the session key is using aes256 now, the ticket itself is still arcfour:

root at ubuntu1:~# kinit user09999
user09999 at S4DOM.TEST's Password: 
root at ubuntu1:~# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: user09999 at S4DOM.TEST
    Cache version: 4

Server: krbtgt/S4DOM.TEST at S4DOM.TEST
Client: user09999 at S4DOM.TEST
Ticket etype: arcfour-hmac-md5, kvno 1
Session key: aes256-cts-hmac-sha1-96
Ticket length: 1074
Auth time:  Aug 19 07:53:10 2015
End time:   Aug 19 17:53:04 2015
Ticket flags: enc-pa-rep, pre-authent, initial, proxiable, forwardable
Addresses: addressless

Is there something like a "domain password/secret" that I need to reset too in order to get aes encryption for everything?

If so, how do I do that?

I also cross-checked this with our windows AD (same client) and I get an AES only ticket/key: 

Ticket etype: aes256-cts-hmac-sha1-96, kvno 2
Ticket length: 2278

Any other ideas?


-----Ursprüngliche Nachricht-----
Von: Trever L. Adams [mailto:trever at middleearth.sapphiresunday.org] 
Gesendet: Mittwoch, 19. August 2015 05:55
An: Ritter, Marcel (RRZE) <marcel.ritter at fau.de>; samba at lists.samba.org
Betreff: Re: [Samba] Samba 4 DC - no AES kerberos tickets - only arcfour

On 08/18/2015 02:28 PM, Ritter, Marcel (RRZE) wrote:
> Hi,
> I’ve been running a samba 4 DC for quite some time now, and while testing some kerberos related stuff, I noticed that all kerberos tickets I can get from the DC are of encryption type ?arcfour-hmac-md5“:
> # kinit testuser1
>   testuser1 at S4DOM.TEST's Password:
> # klist -v
>   Credentials cache: FILE:/tmp/krb5cc_0
>   Ticket etype: arcfour-hmac-md5, kvno 1
> I can create keytabs containing aes128/aes256 keys (besides the arcfour ones), but if I’m trying to use them (e.g. for NFS client/server) the ccache files only report usage of ?arcfour-hmac-md5“.
> Trying to remove non-aes keys from keytab, or limiting supported types will result in an error like this:
> # kinit -e aes256-cts-hmac-sha1-96 Administrator
>    Administrator at S4DOM.TEST's Password: 
>    kinit: krb5_get_init_creds: KDC has no support for encryption type
> # kinit -e arcfour-hmac-md5 Administrator
>    Administrator at S4DOM.TEST's Password:
> ⇒ Succeeds, with arcfour ticket
> This looks like the samba 4 DC does not offer AES encryption types at all.
> So I tried to raise the function level (if i recall correctly AES should be enabled with 2008 R2), however the behaviour stays the same.
> # samba-tool domain level raise --forest-level 2008_R2 --domain-level 2008_R2
> I've reproduced this with Ubuntu 14.04.3 / Samba 4.1.6, but also with a current samba.git-Checkout - no difference so far.
> What am I missing here?
> Do I need to take some extra steps after the domain level raise to use AES?
> Bye,
>    Marcel
I recently had this problem. Have users change their passwords.

More information about the samba mailing list