[Samba] Samba 4 DC - no AES kerberos tickets - only arcfour

Trever L. Adams trever at middleearth.sapphiresunday.org
Wed Aug 19 12:43:54 UTC 2015

On 08/19/2015 12:02 AM, Ritter, Marcel (RRZE) wrote:
> Hi Trever,
> things improved after resetting user/machine passwords, however only the session key is using aes256 now, the ticket itself is still arcfour:
> root at ubuntu1:~# kinit user09999
> user09999 at S4DOM.TEST's Password: 
> root at ubuntu1:~# klist -v
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: user09999 at S4DOM.TEST
>     Cache version: 4
> Server: krbtgt/S4DOM.TEST at S4DOM.TEST
> Client: user09999 at S4DOM.TEST
> Ticket etype: arcfour-hmac-md5, kvno 1
> Session key: aes256-cts-hmac-sha1-96
> Ticket length: 1074
> Auth time:  Aug 19 07:53:10 2015
> End time:   Aug 19 17:53:04 2015
> Ticket flags: enc-pa-rep, pre-authent, initial, proxiable, forwardable
> Addresses: addressless
> Is there something like a "domain password/secret" that I need to reset too in order to get aes encryption for everything?
> If so, how do I do that?
> I also cross-checked this with our windows AD (same client) and I get an AES only ticket/key: 
> <...>
> Ticket etype: aes256-cts-hmac-sha1-96, kvno 2
> Ticket length: 2278
> <...>
> Any other ideas?
> Bye,
>     Marcel
My environment is S4 for servers only. All of my services are in Linux.
I am not sure what yours are.


It is 0004-s4-scripting-devel-Add-tool-to-roll-over-the-krbtgt-.patch
that you are after.

I am using v4-2-stable for building my own. This patch was not applied
to this tree/branch, so you will have to pull it out of the email
message. Apply both parts of the patch. You will need to make
source4/scripting/devel/chgkrbtgtpass executable and then run it.

I know that was part of it. I also had to rejoin the Linux machines that
hosted services (this likely would have been unnecessary had I just
waited for them to change their passwords).

I hope this gets you the rest of the way.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20150819/855d186a/signature.sig>

More information about the samba mailing list