[Samba] Samba not providing the right encryption in Kerberos

Andrew Bartlett abartlet at samba.org
Sat Jun 13 07:21:47 UTC 2020

On Sat, 2020-06-13 at 06:41 +0000, Sebastian Lisic via samba wrote:
> Hi,
> I have a domain with 3 DCs running 4.11.8. The database itself dates
> back to Samba3 and has been gradually updates over the years.

I'm not sure why, but this probably doesn't have all the encryption
types for either the user or the krbtgt account.  Change the password
on both.  The user account the normal way, the krbtgt with

Be aware that this might unsettle the domain if replication is not
working smoothly, as we need to get the new krbtgt password to every DC
quickly.  Clients running will find their tickets not accepted until
they do a kinit again.

You might want to rotate the server accounts, they are rotated with 
samba/source4/scripting/devel/chgtdcpass.  In the server case we keep
the last password to allow old tickets to work.

Andrew Bartlett
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list