[Samba] Samba 4 DC - no AES kerberos tickets - only arcfour
Ritter, Marcel (RRZE)
marcel.ritter at fau.de
Mon Aug 24 13:14:23 UTC 2015
on one of my machines I'm running latest samba git - your tools
are included there, and work nicely. On this machine I now got AES
working as expected - thanks a lot !
On my other test setup I'm running samba 4.1.6 (Ubuntu package).
Do you know if it's safe to run ./chgktbtgtpass (from latest git)
against those databases if I intent to use the old packaged samba
Von: Trever L. Adams [mailto:trever at middleearth.sapphiresunday.org]
Gesendet: Mittwoch, 19. August 2015 14:44
An: Ritter, Marcel (RRZE) <marcel.ritter at fau.de>; samba at lists.samba.org
Betreff: Re: AW: [Samba] Samba 4 DC - no AES kerberos tickets - only arcfour
On 08/19/2015 12:02 AM, Ritter, Marcel (RRZE) wrote:
> Hi Trever,
> things improved after resetting user/machine passwords, however only the session key is using aes256 now, the ticket itself is still arcfour:
> root at ubuntu1:~# kinit user09999
> user09999 at S4DOM.TEST's Password:
> root at ubuntu1:~# klist -v
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: user09999 at S4DOM.TEST
> Cache version: 4
> Server: krbtgt/S4DOM.TEST at S4DOM.TEST
> Client: user09999 at S4DOM.TEST
> Ticket etype: arcfour-hmac-md5, kvno 1 Session key:
> aes256-cts-hmac-sha1-96 Ticket length: 1074 Auth time: Aug 19
> 07:53:10 2015
> End time: Aug 19 17:53:04 2015
> Ticket flags: enc-pa-rep, pre-authent, initial, proxiable, forwardable
> Addresses: addressless
> Is there something like a "domain password/secret" that I need to reset too in order to get aes encryption for everything?
> If so, how do I do that?
> I also cross-checked this with our windows AD (same client) and I get an AES only ticket/key:
> Ticket etype: aes256-cts-hmac-sha1-96, kvno 2 Ticket length: 2278
> Any other ideas?
My environment is S4 for servers only. All of my services are in Linux.
I am not sure what yours are.
It is 0004-s4-scripting-devel-Add-tool-to-roll-over-the-krbtgt-.patch
that you are after.
I am using v4-2-stable for building my own. This patch was not applied to this tree/branch, so you will have to pull it out of the email message. Apply both parts of the patch. You will need to make source4/scripting/devel/chgkrbtgtpass executable and then run it.
I know that was part of it. I also had to rejoin the Linux machines that hosted services (this likely would have been unnecessary had I just waited for them to change their passwords).
I hope this gets you the rest of the way.
More information about the samba