[Samba] samba with stronger enctypes (exportkeytab and kinit)

Thu Mar 6 23:01:07 UTC 2025

Reseting krbtgt password did the trick, now tickets have AES encryption. 
I noticed that ldap and cifs services from the DC's are still with rc4 
and probably it's the same issue, i.e. machine accounts for the samba 
dc's should've been reset. Is there a specific procedure to do it? I 
know that account with password is set at domain provision/join, with 
domain members I can simply re-join, but with domain controller I'm more 
hesitant.

Regards,

Kacper

W dniu 17.02.2025 o 11:44, Kees van Vloten via samba pisze:
>
> Op 17-02-2025 om 11:39 schreef Rowland Penny via samba:
>> On Mon, 17 Feb 2025 11:20:28 +0100
>> Kacper Wirski via samba <samba at lists.samba.org> wrote:
>>
>>> Hello,
>>>
>>> I have issue with samba-tool domain exportkeytab command, that is
>>> exporting keytab only with RC4 encryption, even though account
>>> (--principal) in the command has msDS-SupportedEncryptionTypes": 24
>>>
>>> so, only AES128 AND AES256,
>>>
>>> I can later add other encryption types to the keytab, but I think I
>>> shouldn't have to, in the wiki section of samba in generating keytabs
>>> it's stated that other enc types should be added.
>>>
>>> I checked acccount with "net ads enctypes list <accountname" and it
>>> shows correctly, I tried resetting with "net ads enctypes
>>> accountname" which sets, apart from aes128 and aes256, rc4, I
>>> reexported with the same result.
>
> There is a bug in some versions of samba where it keeps on adding the 
> rc4 encryption type. It has been fixed in recent versions, I don't 
> know exactly which one.
>
>
> - Kees.
>
>>>
>>> I've just recently updated to samba 4.17  ad dc on debian 11 from the
>>> backports, with schema version 69 and domain level 2008_R2 (so the
>>> max supported values for this samba version). I had the same behavior
>>> in older, 4.13.
>>>
>>>
>>> Also, on a similar note, I'm not sure if it's the same in newer samba
>>> versions, but:
>>>
>>> - in 4.13 all tickets had TGT with RC4 and session key with RC4
>>>
>>> - in 4.17 all tickets have TGT with RC4 and only session keys are now
>>> encrypted with AES
>>>
>>> Is it expected behaviour, shouldn't TGT be also moved to AES,
>>> especially with accounts that had explicitly stated
>>> msDS-SupportedEncryptionTypes 24 (only AES)?
>>>
>>> It's both in windows and linux Etype (skey, tkt):
>>> aes256-cts-hmac-sha1-96, DEPRECATED:arcfour-hmac)
>>>
>>>
>>> On all samba AD DC's krb5.conf in /var/lib/samba/private has all the
>>> default settings created during domain provision/join, secrets.keytab
>>> used by the DC's have all 3 encryption types (RC4, AES128 and AES256).
>>>
>>>
>>> As I said, I am planning to upgrade samba to newer versions in a near
>>> future, but first I'm verifying if everything works fine from the
>>> mid-upgrade from 4.13 -> 4.17 and I'm, not sure, if what I'm getting
>>> is "expected" or something is off.
>> I think you need to reset the krbtgt password as well.
>>
>> Rowland
>>
>>
>>
>

-- 
Ta wiadomość e-mail została sprawdzona pod kątem wirusów przez oprogramowanie antywirusowe Avast.
www.avast.com