Ritter, Marcel (RRZE)
2015-Aug-18 20:28 UTC
[Samba] Samba 4 DC - no AES kerberos tickets - only arcfour
Hi, I’ve been running a samba 4 DC for quite some time now, and while testing some kerberos related stuff, I noticed that all kerberos tickets I can get from the DC are of encryption type ?arcfour-hmac-md5“: # kinit testuser1 testuser1 at S4DOM.TEST's Password: # klist -v Credentials cache: FILE:/tmp/krb5cc_0 Ticket etype: arcfour-hmac-md5, kvno 1 I can create keytabs containing aes128/aes256 keys (besides the arcfour ones), but if I’m trying to use them (e.g. for NFS client/server) the ccache files only report usage of ?arcfour-hmac-md5“. Trying to remove non-aes keys from keytab, or limiting supported types will result in an error like this: # kinit -e aes256-cts-hmac-sha1-96 Administrator Administrator at S4DOM.TEST's Password: kinit: krb5_get_init_creds: KDC has no support for encryption type # kinit -e arcfour-hmac-md5 Administrator Administrator at S4DOM.TEST's Password: ⇒ Succeeds, with arcfour ticket This looks like the samba 4 DC does not offer AES encryption types at all. So I tried to raise the function level (if i recall correctly AES should be enabled with 2008 R2), however the behaviour stays the same. # samba-tool domain level raise --forest-level 2008_R2 --domain-level 2008_R2 I've reproduced this with Ubuntu 14.04.3 / Samba 4.1.6, but also with a current samba.git-Checkout - no difference so far. What am I missing here? Do I need to take some extra steps after the domain level raise to use AES? Bye, Marcel
Trever L. Adams
2015-Aug-19 03:54 UTC
[Samba] Samba 4 DC - no AES kerberos tickets - only arcfour
On 08/18/2015 02:28 PM, Ritter, Marcel (RRZE) wrote:> Hi, > > I’ve been running a samba 4 DC for quite some time now, and while testing some kerberos related stuff, I noticed that all kerberos tickets I can get from the DC are of encryption type ?arcfour-hmac-md5“: > > # kinit testuser1 > testuser1 at S4DOM.TEST's Password: > > # klist -v > Credentials cache: FILE:/tmp/krb5cc_0 > Ticket etype: arcfour-hmac-md5, kvno 1 > > I can create keytabs containing aes128/aes256 keys (besides the arcfour ones), but if I’m trying to use them (e.g. for NFS client/server) the ccache files only report usage of ?arcfour-hmac-md5“. > > Trying to remove non-aes keys from keytab, or limiting supported types will result in an error like this: > > # kinit -e aes256-cts-hmac-sha1-96 Administrator > Administrator at S4DOM.TEST's Password: > kinit: krb5_get_init_creds: KDC has no support for encryption type > > # kinit -e arcfour-hmac-md5 Administrator > Administrator at S4DOM.TEST's Password: > ⇒ Succeeds, with arcfour ticket > > This looks like the samba 4 DC does not offer AES encryption types at all. > > So I tried to raise the function level (if i recall correctly AES should be enabled with 2008 R2), however the behaviour stays the same. > > # samba-tool domain level raise --forest-level 2008_R2 --domain-level 2008_R2 > > I've reproduced this with Ubuntu 14.04.3 / Samba 4.1.6, but also with a current samba.git-Checkout - no difference so far. > > What am I missing here? > Do I need to take some extra steps after the domain level raise to use AES? > > Bye, > Marcel >I recently had this problem. Have users change their passwords. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20150818/f8a05c24/signature.sig>
Ritter, Marcel (RRZE)
2015-Aug-19 06:02 UTC
[Samba] Samba 4 DC - no AES kerberos tickets - only arcfour
Hi Trever, things improved after resetting user/machine passwords, however only the session key is using aes256 now, the ticket itself is still arcfour: root at ubuntu1:~# kinit user09999 user09999 at S4DOM.TEST's Password: root at ubuntu1:~# klist -v Credentials cache: FILE:/tmp/krb5cc_0 Principal: user09999 at S4DOM.TEST Cache version: 4 Server: krbtgt/S4DOM.TEST at S4DOM.TEST Client: user09999 at S4DOM.TEST Ticket etype: arcfour-hmac-md5, kvno 1 Session key: aes256-cts-hmac-sha1-96 Ticket length: 1074 Auth time: Aug 19 07:53:10 2015 End time: Aug 19 17:53:04 2015 Ticket flags: enc-pa-rep, pre-authent, initial, proxiable, forwardable Addresses: addressless Is there something like a "domain password/secret" that I need to reset too in order to get aes encryption for everything? If so, how do I do that? I also cross-checked this with our windows AD (same client) and I get an AES only ticket/key: <...> Ticket etype: aes256-cts-hmac-sha1-96, kvno 2 Ticket length: 2278 <...> Any other ideas? Bye, Marcel -----Ursprüngliche Nachricht----- Von: Trever L. Adams [mailto:trever at middleearth.sapphiresunday.org] Gesendet: Mittwoch, 19. August 2015 05:55 An: Ritter, Marcel (RRZE) <marcel.ritter at fau.de>; samba at lists.samba.org Betreff: Re: [Samba] Samba 4 DC - no AES kerberos tickets - only arcfour On 08/18/2015 02:28 PM, Ritter, Marcel (RRZE) wrote:> Hi, > > I’ve been running a samba 4 DC for quite some time now, and while testing some kerberos related stuff, I noticed that all kerberos tickets I can get from the DC are of encryption type ?arcfour-hmac-md5“: > > # kinit testuser1 > testuser1 at S4DOM.TEST's Password: > > # klist -v > Credentials cache: FILE:/tmp/krb5cc_0 > Ticket etype: arcfour-hmac-md5, kvno 1 > > I can create keytabs containing aes128/aes256 keys (besides the arcfour ones), but if I’m trying to use them (e.g. for NFS client/server) the ccache files only report usage of ?arcfour-hmac-md5“. > > Trying to remove non-aes keys from keytab, or limiting supported types will result in an error like this: > > # kinit -e aes256-cts-hmac-sha1-96 Administrator > Administrator at S4DOM.TEST's Password: > kinit: krb5_get_init_creds: KDC has no support for encryption type > > # kinit -e arcfour-hmac-md5 Administrator > Administrator at S4DOM.TEST's Password: > ⇒ Succeeds, with arcfour ticket > > This looks like the samba 4 DC does not offer AES encryption types at all. > > So I tried to raise the function level (if i recall correctly AES should be enabled with 2008 R2), however the behaviour stays the same. > > # samba-tool domain level raise --forest-level 2008_R2 --domain-level 2008_R2 > > I've reproduced this with Ubuntu 14.04.3 / Samba 4.1.6, but also with a current samba.git-Checkout - no difference so far. > > What am I missing here? > Do I need to take some extra steps after the domain level raise to use AES? > > Bye, > Marcel >I recently had this problem. Have users change their passwords.
Reasonably Related Threads
- Samba 4 DC - no AES kerberos tickets - only arcfour
- Samba 4 DC - no AES kerberos tickets - only arcfour
- Samba 4 DC - no AES kerberos tickets - only arcfour
- How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?
- kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)