[Samba] Upgrade to Samba 4.12 question

Rowland penny rpenny at samba.org
Mon Oct 5 09:26:34 UTC 2020

On 05/10/2020 09:49, Jiří Černý via samba wrote:
> Hello, guys.
> I‘d like to upgrade our Samba 4.11 AD to 4.12. In release notes,
> „Retiring DES encryption types in Kerberos.
> ------------------------------------------
> With this release, support for DES encryption types has been removed
> from
> Samba, and setting DES_ONLY flag for an account will cause Kerberos
> authentication to fail for that account (see RFC-6649).“
> In our network, we have some really ancient machines, which are SMB one
> only. These are CNC machines with some embedded Windows like 95, so
> upgrade of OS is impossible.
> While that machines communicate with fileserver, I can see this message
> in log.samba on DC:
> „ Auth: [NETLOGON,ServerAuthenticate] user [SVMETAL]\[TCL3030$] at
> [Mon, 05 Oct 2020 10:31:40.762795 CEST] with [DES] status
> [NT_STATUS_DOWNGRADE_DETECTED] workstation [(null)] remote host
> [ipv4:] mapped to [(null)]\[(null)]. local host
> [ipv4:]  NETLOGON computer [TCL3030] trust account
> [(null)]“.
> Does it mean, when I upgrade to Samba 4.12, that machine communications
> will be refused?
> So we have to stay (stuck) on Samba 4.11?
> Or is there possibility to go around this?
Stop me if I am wrong, but, from memory (long time since I saw a win95 
machine), win9x never used kerberos, it only used lanman auth, so 
changes to kerberos shouldn't affect you. If it worked on 4.11.x, it 
should work on 4.12.x


More information about the samba mailing list