[Samba] Updating OpenSSL from 1.x to 3 breaks kinit

[MATYAS, Tibor]

Am 02.11.2023 um 20:47 schrieb Andrew Bartlett:
> On Thu, 2023-11-02 at 16:04 +0100, MATYAS, Tibor via samba wrote:
>> Dear all,
>>
>> updating openssl from 1.1.x to 3.x on our gentoo systems (recompiled
>> everything against the new openssl!)
>> breaks kinit:
>>
>> kinit administrator at xxxx
>> administrator at xxxx's Password:
>> kinit: rc4 8: EVP_CipherInit_ex einit
>>
>> kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc
>> dhcpduser at xxxx
>> kinit: rc4 8: EVP_CipherInit_ex einit
>>
>> openssl list -cipher-algorithms | grep -i RC4
>>     RC4
>>     RC4-40
>>     RC4-HMAC-MD5
>> unfortunately no solution found so far.
>>
>> Thanks in advance, Tibor
>>
> Try changing the administrator password so you get an AES key.  Check
> you have updated your domain functional level to 2008R2 (the current
> default).
>
> Samba doesn't ship kinit, that is MIT Kerberos (most likely) which will
> be using OpenSSL for the crypto and may be restricted by the
> limitations against old crypto.  It may also be possible to disable
> those limitations.
>
> Andrew Bartlett
>
Yes, we never changed the administrator pw since 2018, but checked the 
pw, it has also an AES key! With kinit, I accidentally discovered the 
following: even if I enter some random chars I get the same error: 
kinit: rc4 8: EVP_CipherInit_ex einit The latest stable heimdal(!) for 
gentoo is 7.8.0-r1. After I unmasked 7.8.0-r3 (latest unstable/testing) 
the problem is gone :-D (found no bug report to this issue....)

Thank you all for the help! - Problem solved.




--------------------------------------------------
DSI Aerospace GmbH

Sitz der Gesellschaft: Otto-Lilienthal-Str. 1, D-28199 Bremen, Germany
Web: http://www.dsi-as.de

Geschaeftsfuehrer: Dr.-Ing. Christian Dierker
                   M. Sc. Elias Hashem

Handelsregister: HRB 17726, Amtsgericht Bremen
Umsatzsteuer-Identifikationsnummer: DE 192 681 774
--------------------------------------------------