[Samba] msDS-SupportedEncryptionTypes gets reset on net ads join
van Vloten Kees
keesvanvloten at gmail.com
Sun May 2 08:12:06 UTC 2021
Hi Samba-team,
I have setup Samba ad-dc 4.13 and created some computer accounts with
samba-tool.
Then I reduced the possible encryption algorithms for kerberos on the
computer accounts by setting this in samba ldap:
msDS-SupportedEncryptionTypes: 16
The same settings are in /etc/krb5.conf on the domain-member to be:
/etc/krb5.conf
[libdefaults]
default_realm = COMPOSERS.LAN
dns_lookup_kdc = false
dns_lookup_realm = false
rdns = false
allow_weak_crypto = false
default_tkt_enctypes = aes256-cts
default_tgs_enctypes = aes256-cts
permitted_enctypes = aes256-cts
ticket_lifetime = 10h
And in /etc/samba/smb.conf
[global]
kerberos method = system keytab
kerberos encryption types = strong
Now when I join the domain on the member with:
kinit -V join_user
net ads testjoin -k -v
I noticed the encryption algorithms on the computer-account get reset to
the default of 31:
msDS-SupportedEncryptionTypes: 31
Is there anything I can do to prevent less secure encryption algorithms to
get used by computers?
--
Kees van Vloten
More information about the samba
mailing list