[Samba] Samba 4 DC - no AES kerberos tickets - only arcfour

Ritter, Marcel (RRZE) marcel.ritter at fau.de
Mon Aug 24 13:14:23 UTC 2015

Hi Trever,

on one of my machines I'm running latest samba git - your tools
are included there, and work nicely. On this machine I now got AES
working as expected - thanks a lot !

On my other test setup I'm running samba 4.1.6 (Ubuntu package).

Do you know if it's safe to run ./chgktbtgtpass (from latest git)
against those databases if I intent to use the old packaged samba
version afterwards?


-----Urspr√ľngliche Nachricht-----
Von: Trever L. Adams [mailto:trever at middleearth.sapphiresunday.org] 
Gesendet: Mittwoch, 19. August 2015 14:44
An: Ritter, Marcel (RRZE) <marcel.ritter at fau.de>; samba at lists.samba.org
Betreff: Re: AW: [Samba] Samba 4 DC - no AES kerberos tickets - only arcfour

On 08/19/2015 12:02 AM, Ritter, Marcel (RRZE) wrote:
> Hi Trever,
> things improved after resetting user/machine passwords, however only the session key is using aes256 now, the ticket itself is still arcfour:
> root at ubuntu1:~# kinit user09999
> user09999 at S4DOM.TEST's Password: 
> root at ubuntu1:~# klist -v
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: user09999 at S4DOM.TEST
>     Cache version: 4
> Server: krbtgt/S4DOM.TEST at S4DOM.TEST
> Client: user09999 at S4DOM.TEST
> Ticket etype: arcfour-hmac-md5, kvno 1 Session key: 
> aes256-cts-hmac-sha1-96 Ticket length: 1074 Auth time:  Aug 19 
> 07:53:10 2015
> End time:   Aug 19 17:53:04 2015
> Ticket flags: enc-pa-rep, pre-authent, initial, proxiable, forwardable
> Addresses: addressless
> Is there something like a "domain password/secret" that I need to reset too in order to get aes encryption for everything?
> If so, how do I do that?
> I also cross-checked this with our windows AD (same client) and I get an AES only ticket/key: 
> <...>
> Ticket etype: aes256-cts-hmac-sha1-96, kvno 2 Ticket length: 2278 
> <...>
> Any other ideas?
> Bye,
>     Marcel
My environment is S4 for servers only. All of my services are in Linux.
I am not sure what yours are.


It is 0004-s4-scripting-devel-Add-tool-to-roll-over-the-krbtgt-.patch
that you are after.

I am using v4-2-stable for building my own. This patch was not applied to this tree/branch, so you will have to pull it out of the email message. Apply both parts of the patch. You will need to make source4/scripting/devel/chgkrbtgtpass executable and then run it.

I know that was part of it. I also had to rejoin the Linux machines that hosted services (this likely would have been unnecessary had I just waited for them to change their passwords).

I hope this gets you the rest of the way.


More information about the samba mailing list