[Samba] Samba not providing the right encryption in Kerberos

Sebastian Lisic lisic at uw.edu
Sat Jun 13 10:22:01 UTC 2020

That worked! 

Once I changed the TGT password the tickets started using the proper encryption.

Thanks for the fast response, Andrew!

During the 4.10 to 4.11 upgrade each DC was unjoined then rejoined to the domain, so I assume they have all the encryption types.

-----Original Message-----
From: Andrew Bartlett <abartlet at samba.org> 
Sent: Saturday, June 13, 2020 12:22 AM
To: Sebastian Lisic <lisic at uw.edu>; 'samba at lists.samba.org' <samba at lists.samba.org>
Subject: Re: [Samba] Samba not providing the right encryption in Kerberos

On Sat, 2020-06-13 at 06:41 +0000, Sebastian Lisic via samba wrote:
> Hi,
> I have a domain with 3 DCs running 4.11.8. The database itself dates 
> back to Samba3 and has been gradually updates over the years.

I'm not sure why, but this probably doesn't have all the encryption types for either the user or the krbtgt account.  Change the password on both.  The user account the normal way, the krbtgt with samba/source4/scripting/devel/chgkrbtgtpass

Be aware that this might unsettle the domain if replication is not working smoothly, as we need to get the new krbtgt password to every DC quickly.  Clients running will find their tickets not accepted until they do a kinit again.

You might want to rotate the server accounts, they are rotated with samba/source4/scripting/devel/chgtdcpass.  In the server case we keep the last password to allow old tickets to work.

Andrew Bartlett
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list