[Samba] samba with stronger enctypes (exportkeytab and kinit)

Kees van Vloten keesvanvloten at gmail.com
Mon Feb 17 10:44:19 UTC 2025 

Op 17-02-2025 om 11:39 schreef Rowland Penny via samba:
> On Mon, 17 Feb 2025 11:20:28 +0100
> Kacper Wirski via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> I have issue with samba-tool domain exportkeytab command, that is
>> exporting keytab only with RC4 encryption, even though account
>> (--principal) in the command has msDS-SupportedEncryptionTypes": 24
>>
>> so, only AES128 AND AES256,
>>
>> I can later add other encryption types to the keytab, but I think I
>> shouldn't have to, in the wiki section of samba in generating keytabs
>> it's stated that other enc types should be added.
>>
>> I checked acccount with "net ads enctypes list <accountname" and it
>> shows correctly, I tried resetting with "net ads enctypes
>> accountname" which sets, apart from aes128 and aes256, rc4, I
>> reexported with the same result.

There is a bug in some versions of samba where it keeps on adding the 
rc4 encryption type. It has been fixed in recent versions, I don't know 
exactly which one.


- Kees.

>>
>> I've just recently updated to samba 4.17  ad dc on debian 11 from the
>> backports, with schema version 69 and domain level 2008_R2 (so the
>> max supported values for this samba version). I had the same behavior
>> in older, 4.13.
>>
>>
>> Also, on a similar note, I'm not sure if it's the same in newer samba
>> versions, but:
>>
>> - in 4.13 all tickets had TGT with RC4 and session key with RC4
>>
>> - in 4.17 all tickets have TGT with RC4 and only session keys are now
>> encrypted with AES
>>
>> Is it expected behaviour, shouldn't TGT be also moved to AES,
>> especially with accounts that had explicitly stated
>> msDS-SupportedEncryptionTypes 24 (only AES)?
>>
>> It's both in windows and linux Etype (skey, tkt):
>> aes256-cts-hmac-sha1-96, DEPRECATED:arcfour-hmac)
>>
>>
>> On all samba AD DC's krb5.conf in /var/lib/samba/private has all the
>> default settings created during domain provision/join, secrets.keytab
>> used by the DC's have all 3 encryption types (RC4, AES128 and AES256).
>>
>>
>> As I said, I am planning to upgrade samba to newer versions in a near
>> future, but first I'm verifying if everything works fine from the
>> mid-upgrade from 4.13 -> 4.17 and I'm, not sure, if what I'm getting
>> is "expected" or something is off.
> I think you need to reset the krbtgt password as well.
>
> Rowland
>
>
>

More information about the samba mailing list