[Samba] klist shows DEPRECATED:arcfour-hmac
Kees van Vloten
keesvanvloten at gmail.com
Mon Nov 7 23:11:53 UTC 2022
Hi Team,
I am trying to use safe ciphers only, therefore I restrict the
encryption types on the accounts to:
msDS-SupportedEncryptionTypes: 16
And in /etc/krb5.conf:
[libdefaults]
canonicalize = true
allow_weak_crypto = false
default_tkt_enctypes = aes256-cts
default_tgs_enctypes = aes256-cts
permitted_enctypes = aes256-cts
Still an export of the keytab in samba delivers me a keytab that
includes arcfour-hmac:
samba-tool domain exportkeytab -d 8
--principal=http/webserver.example.com webserver.keytab
klist -kte webserver.keytab
Keytab name: FILE:web_ravel.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
2 11/08/2022 00:00:11 http/webserver.example.com at EXAMPLE.COM
(aes256-cts-hmac-sha1-96)
2 11/08/2022 00:00:11 http/webserver.example.com at EXAMPLE.COM
(DEPRECATED:arcfour-hmac)
How is that possible with the msDS-SupportedEncryptionTypes set to 16?
What can I do to get rid of the arcfour-hmac cipher (other than deleting
it with kutil)?
(this is with Samba 4.16.2 on Bullseye)
- Kees.
More information about the samba
mailing list