[Samba] Windows login problem to a Samba AD DC

Patrick Goetz pgoetz at math.utexas.edu
Wed Nov 24 17:49:45 UTC 2021 

Quick question about this.  One of my Windows colleagues alerted me this 
morning that MS is recommending  RC4 be removed entirely. Is Samba 
already set up to deal with this?

On 11/24/21 11:32, Andrew Bartlett via samba wrote:
> On Wed, 2021-11-24 at 12:20 -0300, tizo via samba wrote:
>> I have a pristine Samba AD DC installed (Samba 4.15 in Rocky Linux
>> 8.5). I
>> have joined a Windows 10 client without any problems. After
>> restarting, I
>> try to login with a test user (the only user aside from the
>> administrator),
>> and it keeps saying "Username or password is incorrect" (maybe this
>> is not
>> the exact translation, as the language is Spanish). Moreover, I am
>> almost
>> sure that the password is the right one, as I have tested it with
>> kinit in
>> the Samba AD DC server. I have also tested with the administrator
>> user with
>> the same results. It seems to me that Windows doesn't even try to
>> contact
>> Samba AD DC, as the message is displayed very fast (and no useful
>> information is logged in Samba AD DC).
> 
> Very likely fixed by this commit in 4.15.1:
> 
> commit be8fb0218af1a1529cd7a349a57a11dbfaeb7368
> Author: Joseph Sutton <josephsutton at catalyst.net.nz>
> Date:   Fri Oct 8 15:53:47 2021 +1300
> 
>      heimdal:kdc: Only check for default salt for des-cbc-crc enctype
>      
>      Previously, this algorithm was preferring RC4 over AES for machine
>      accounts in the preauth case. This is because AES keys for machine
>      accounts in Active Directory use a non-default salt, while RC4 keys
> do
>      not use a salt. To avoid this behaviour, only prefer keys with
> default
>      salt for the des-cbc-crc enctype.
>      
>      BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
>      BUG: https://bugzilla.samba.org/show_bug.cgi?id=14864
>      
>      Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
>      Reviewed-by: Andrew Bartlett <abartlet at samba.org>
>      (cherry picked from commit
> 8e1efd8bd3bf698dc0b6ed2081919f49b1412b53)
>      
>      Autobuild-User(v4-15-test): Jule Anger <janger at samba.org>
>      Autobuild-Date(v4-15-test): Fri Oct 22 08:39:30 UTC 2021 on sn-
> devel-184
> 
> Sorry for the regression,
> 
> Andrew Bartlett
>

More information about the samba mailing list