Dongsheng Song
2014-Dec-22 08:34 UTC
[Samba] How to disable des and rc4 in the active directory domain controller ?
Hi, When I run 'samba-tool domain exportkeytab', I found the exported keytab file include arcfour-hmac-md5, aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des-cbc-md5, and des-cbc-crc. It seems that modify /etc/krb5.conf no help. My DC running with samba 4.1.13, and the server role is active directory domain controller. Thanks, Dongsheng
Andrew Bartlett
2014-Dec-28 06:29 UTC
[Samba] How to disable des and rc4 in the active directory domain controller ?
On Mon, 2014-12-22 at 16:34 +0800, Dongsheng Song wrote:> Hi, > > When I run 'samba-tool domain exportkeytab', I found the exported > keytab file include arcfour-hmac-md5, aes256-cts-hmac-sha1-96, > aes128-cts-hmac-sha1-96, des-cbc-md5, and des-cbc-crc. It seems that > modify /etc/krb5.conf no help. > > My DC running with samba 4.1.13, and the server role is active > directory domain controller.The 'allow_weak_keys = false' option (which is the default) in the krb5.conf is the tool for controlling this. Currently this only disables DES, and only at runtime, not at the layer the keytab export uses. When we update Heimdal, we will have to be careful, as I checked recently and arcfour-hmac-md5 has been declared weak (as you desire), and this will break Windows 2003 and WinXP clients. Additionally, until Samba 4.2, we were defaulting to Windows 2003 functional level, so haven't been storing the newer AES keys :-( Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Dongsheng Song
2014-Dec-28 12:06 UTC
[Samba] How to disable des and rc4 in the active directory domain controller ?
On Sun, Dec 28, 2014 at 2:29 PM, Andrew Bartlett <abartlet at samba.org> wrote:> On Mon, 2014-12-22 at 16:34 +0800, Dongsheng Song wrote: >> Hi, >> >> When I run 'samba-tool domain exportkeytab', I found the exported >> keytab file include arcfour-hmac-md5, aes256-cts-hmac-sha1-96, >> aes128-cts-hmac-sha1-96, des-cbc-md5, and des-cbc-crc. It seems that >> modify /etc/krb5.conf no help. >> >> My DC running with samba 4.1.13, and the server role is active >> directory domain controller. > > The 'allow_weak_keys = false' option (which is the default) in the > krb5.conf is the tool for controlling this. Currently this only > disables DES, and only at runtime, not at the layer the keytab export > uses. > > When we update Heimdal, we will have to be careful, as I checked > recently and arcfour-hmac-md5 has been declared weak (as you desire), > and this will break Windows 2003 and WinXP clients. > > Additionally, until Samba 4.2, we were defaulting to Windows 2003 > functional level, so haven't been storing the newer AES keys :-( >Then there is no way to only enable aes256-cts-hmac-sha1-96 in Samba ?