[Samba] Samba 4 DC - no AES kerberos tickets - only arcfour
Trever L. Adams
trever at middleearth.sapphiresunday.org
Wed Aug 19 12:43:54 UTC 2015
On 08/19/2015 12:02 AM, Ritter, Marcel (RRZE) wrote:
> Hi Trever,
> things improved after resetting user/machine passwords, however only the session key is using aes256 now, the ticket itself is still arcfour:
> root at ubuntu1:~# kinit user09999
> user09999 at S4DOM.TEST's Password:
> root at ubuntu1:~# klist -v
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: user09999 at S4DOM.TEST
> Cache version: 4
> Server: krbtgt/S4DOM.TEST at S4DOM.TEST
> Client: user09999 at S4DOM.TEST
> Ticket etype: arcfour-hmac-md5, kvno 1
> Session key: aes256-cts-hmac-sha1-96
> Ticket length: 1074
> Auth time: Aug 19 07:53:10 2015
> End time: Aug 19 17:53:04 2015
> Ticket flags: enc-pa-rep, pre-authent, initial, proxiable, forwardable
> Addresses: addressless
> Is there something like a "domain password/secret" that I need to reset too in order to get aes encryption for everything?
> If so, how do I do that?
> I also cross-checked this with our windows AD (same client) and I get an AES only ticket/key:
> Ticket etype: aes256-cts-hmac-sha1-96, kvno 2
> Ticket length: 2278
> Any other ideas?
My environment is S4 for servers only. All of my services are in Linux.
I am not sure what yours are.
It is 0004-s4-scripting-devel-Add-tool-to-roll-over-the-krbtgt-.patch
that you are after.
I am using v4-2-stable for building my own. This patch was not applied
to this tree/branch, so you will have to pull it out of the email
message. Apply both parts of the patch. You will need to make
source4/scripting/devel/chgkrbtgtpass executable and then run it.
I know that was part of it. I also had to rejoin the Linux machines that
hosted services (this likely would have been unnecessary had I just
waited for them to change their passwords).
I hope this gets you the rest of the way.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the samba