[Samba] Updating OpenSSL from 1.x to 3 breaks kinit

Andrew Bartlett abartlet at samba.org
Thu Nov 2 19:47:33 UTC 2023


On Thu, 2023-11-02 at 16:04 +0100, MATYAS, Tibor via samba wrote:
> Dear all,
> 
> updating openssl from 1.1.x to 3.x on our gentoo systems (recompiled 
> everything against the new openssl!)
> breaks kinit:
> 
> kinit administrator at xxxx
> administrator at xxxx's Password:
> kinit: rc4 8: EVP_CipherInit_ex einit
> 
> kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc 
> dhcpduser at xxxx
> kinit: rc4 8: EVP_CipherInit_ex einit
> 
> openssl list -cipher-algorithms | grep -i RC4
>    RC4
>    RC4-40
>    RC4-HMAC-MD5
> unfortunately no solution found so far.
> 
> Thanks in advance, Tibor
> 

Try changing the administrator password so you get an AES key.  Check
you have updated your domain functional level to 2008R2 (the current
default). 

Samba doesn't ship kinit, that is MIT Kerberos (most likely) which will
be using OpenSSL for the crypto and may be restricted by the
limitations against old crypto.  It may also be possible to disable
those limitations.

Andrew Bartlett


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions




More information about the samba mailing list