[Samba] Samba not providing the right encryption in Kerberos
Andrew Bartlett
abartlet at samba.org
Sat Jun 13 07:21:47 UTC 2020
On Sat, 2020-06-13 at 06:41 +0000, Sebastian Lisic via samba wrote:
> Hi,
>
> I have a domain with 3 DCs running 4.11.8. The database itself dates
> back to Samba3 and has been gradually updates over the years.
I'm not sure why, but this probably doesn't have all the encryption
types for either the user or the krbtgt account. Change the password
on both. The user account the normal way, the krbtgt with
samba/source4/scripting/devel/chgkrbtgtpass
Be aware that this might unsettle the domain if replication is not
working smoothly, as we need to get the new krbtgt password to every DC
quickly. Clients running will find their tickets not accepted until
they do a kinit again.
You might want to rotate the server accounts, they are rotated with
samba/source4/scripting/devel/chgtdcpass. In the server case we keep
the last password to allow old tickets to work.
Andrew Bartlett
--
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list