[Samba] samba with stronger enctypes (exportkeytab and kinit)

Kacper Wirski kacper.wirski at gmail.com
Mon Feb 17 10:20:28 UTC 2025 

Hello,

I have issue with samba-tool domain exportkeytab command, that is 
exporting keytab only with RC4 encryption, even though account 
(--principal) in the command has msDS-SupportedEncryptionTypes": 24

so, only AES128 AND AES256,

I can later add other encryption types to the keytab, but I think I 
shouldn't have to, in the wiki section of samba in generating keytabs 
it's stated that other enc types should be added.

I checked acccount with "net ads enctypes list <accountname" and it 
shows correctly, I tried resetting with "net ads enctypes accountname" 
which sets, apart from aes128 and aes256, rc4, I reexported with the 
same result.

I've just recently updated to samba 4.17  ad dc on debian 11 from the 
backports, with schema version 69 and domain level 2008_R2 (so the max 
supported values for this samba version). I had the same behavior in 
older, 4.13.


Also, on a similar note, I'm not sure if it's the same in newer samba 
versions, but:

- in 4.13 all tickets had TGT with RC4 and session key with RC4

- in 4.17 all tickets have TGT with RC4 and only session keys are now 
encrypted with AES

Is it expected behaviour, shouldn't TGT be also moved to AES, especially 
with accounts that had explicitly stated msDS-SupportedEncryptionTypes 
24 (only AES)?

It's both in windows and linux Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, DEPRECATED:arcfour-hmac)


On all samba AD DC's krb5.conf in /var/lib/samba/private has all the 
default settings created during domain provision/join, secrets.keytab 
used by the DC's have all 3 encryption types (RC4, AES128 and AES256).


As I said, I am planning to upgrade samba to newer versions in a near 
future, but first I'm verifying if everything works fine from the 
mid-upgrade from 4.13 -> 4.17 and I'm, not sure, if what I'm getting is 
"expected" or something is off.


Regards,

Kacper



-- 
Ta wiadomość e-mail została sprawdzona pod kątem wirusów przez oprogramowanie antywirusowe Avast.
www.avast.com

More information about the samba mailing list