[Samba] Samba not providing the right encryption in Kerberos
lisic at uw.edu
Sat Jun 13 10:22:01 UTC 2020
Once I changed the TGT password the tickets started using the proper encryption.
Thanks for the fast response, Andrew!
During the 4.10 to 4.11 upgrade each DC was unjoined then rejoined to the domain, so I assume they have all the encryption types.
From: Andrew Bartlett <abartlet at samba.org>
Sent: Saturday, June 13, 2020 12:22 AM
To: Sebastian Lisic <lisic at uw.edu>; 'samba at lists.samba.org' <samba at lists.samba.org>
Subject: Re: [Samba] Samba not providing the right encryption in Kerberos
On Sat, 2020-06-13 at 06:41 +0000, Sebastian Lisic via samba wrote:
> I have a domain with 3 DCs running 4.11.8. The database itself dates
> back to Samba3 and has been gradually updates over the years.
I'm not sure why, but this probably doesn't have all the encryption types for either the user or the krbtgt account. Change the password on both. The user account the normal way, the krbtgt with samba/source4/scripting/devel/chgkrbtgtpass
Be aware that this might unsettle the domain if replication is not working smoothly, as we need to get the new krbtgt password to every DC quickly. Clients running will find their tickets not accepted until they do a kinit again.
You might want to rotate the server accounts, they are rotated with samba/source4/scripting/devel/chgtdcpass. In the server case we keep the last password to allow old tickets to work.
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
More information about the samba