[Samba] samba with stronger enctypes (exportkeytab and kinit)

Rowland Penny rpenny at samba.org
Mon Feb 17 10:39:11 UTC 2025 

On Mon, 17 Feb 2025 11:20:28 +0100
Kacper Wirski via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> I have issue with samba-tool domain exportkeytab command, that is 
> exporting keytab only with RC4 encryption, even though account 
> (--principal) in the command has msDS-SupportedEncryptionTypes": 24
> 
> so, only AES128 AND AES256,
> 
> I can later add other encryption types to the keytab, but I think I 
> shouldn't have to, in the wiki section of samba in generating keytabs 
> it's stated that other enc types should be added.
> 
> I checked acccount with "net ads enctypes list <accountname" and it 
> shows correctly, I tried resetting with "net ads enctypes
> accountname" which sets, apart from aes128 and aes256, rc4, I
> reexported with the same result.
> 
> I've just recently updated to samba 4.17  ad dc on debian 11 from the 
> backports, with schema version 69 and domain level 2008_R2 (so the
> max supported values for this samba version). I had the same behavior
> in older, 4.13.
> 
> 
> Also, on a similar note, I'm not sure if it's the same in newer samba 
> versions, but:
> 
> - in 4.13 all tickets had TGT with RC4 and session key with RC4
> 
> - in 4.17 all tickets have TGT with RC4 and only session keys are now 
> encrypted with AES
> 
> Is it expected behaviour, shouldn't TGT be also moved to AES,
> especially with accounts that had explicitly stated
> msDS-SupportedEncryptionTypes 24 (only AES)?
> 
> It's both in windows and linux Etype (skey, tkt): 
> aes256-cts-hmac-sha1-96, DEPRECATED:arcfour-hmac)
> 
> 
> On all samba AD DC's krb5.conf in /var/lib/samba/private has all the 
> default settings created during domain provision/join, secrets.keytab 
> used by the DC's have all 3 encryption types (RC4, AES128 and AES256).
> 
> 
> As I said, I am planning to upgrade samba to newer versions in a near 
> future, but first I'm verifying if everything works fine from the 
> mid-upgrade from 4.13 -> 4.17 and I'm, not sure, if what I'm getting
> is "expected" or something is off.

I think you need to reset the krbtgt password as well.

Rowland

More information about the samba mailing list