[Samba] Upgrade to Samba 4.12 question

[Andrew Bartlett]

On Mon, 2020-10-05 at 10:49 +0200, Jiří Černý via samba wrote:
> Hello, guys. 
> 
> I‘d like to upgrade our Samba 4.11 AD to 4.12. In release notes,
> REMOVED FEATURES, I see this:
> „Retiring DES encryption types in Kerberos.
> ------------------------------------------
> With this release, support for DES encryption types has been removed
> from
> Samba, and setting DES_ONLY flag for an account will cause Kerberos
> authentication to fail for that account (see RFC-6649).“
> 
> In our network, we have some really ancient machines, which are SMB
> one
> only. These are CNC machines with some embedded Windows like 95, so
> upgrade of OS is impossible.
> While that machines communicate with fileserver, I can see this
> message
> in log.samba on DC:
> „ Auth: [NETLOGON,ServerAuthenticate] user [SVMETAL]\[TCL3030$] at
> [Mon, 05 Oct 2020 10:31:40.762795 CEST] with [DES] status
> [NT_STATUS_DOWNGRADE_DETECTED] workstation [(null)] remote host
> [ipv4:192.168.1.28:1076] mapped to [(null)]\[(null)]. local host
> [ipv4:192.168.1.1:139]  NETLOGON computer [TCL3030] trust account
> [(null)]“.
> 
> Does it mean, when I upgrade to Samba 4.12, that machine
> communications
> will be refused? 
> So we have to stay (stuck) on Samba 4.11?
> Or is there possibility to go around this?

This isn't Kerberos, but NETLOGON.  There are parameters which allow
DES authentication in NETLOGON, the one you want would be "allow nt4
crypto".  However the default for that hasn't changed in years, so that
won't be it.

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba