samba - Dec 2023 - DEPRECATED:arcfour-hmac

On Fri, 01 Dec 2023 16:23:37 +0000
bd730c5053df9efb via samba <samba at lists.samba.org> wrote:
> Hello!
> 
> I'm trying to setup dovecot to do single sign on with a samba 4.18.9
> DC on slackware 15.0 (in case the experimental mit thing we discussed
> yesterday could be part of the issue) following
>
https://wiki.samba.org/index.php/Authenticating_Dovecot_against_Active_Directory
> and
> https://doc.dovecot.org/configuration_manual/authentication/kerberos/
> 
> I executed the commands
> samba-tool spn add imap/host.samdom.example.com dovecotuser
> samba-tool domain exportkeytab --principal
> imap/host.samdom.example.com /root/dovecot.keytab
> 
> but when I check the created keytab with the command 
> klist -Kek /etc/dovecot/dovecot.keytab the output is as follows
> Keytab name: FILE:dovecot.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 3 imap/host.samdom.example.com at EXAMPLE.COM (DEPRECATED:arcfour-hmac)
> (0x6a83392f4fe666aa7e4e14033ef54896)
> 
> I know I have tried this before in another slackware setup and I'm
> postive the output of this command included other algorithms but I
> don't have that environment available anymore to check samba's or
> slackware's version or the output of the command.
> 
> Is there a reason why I only get the arcfour-hmac encryption and not
> any of the others I saw documented in the forementioned pages? Is
> there something I can do to modify this without recompiling samba? If
> not, Is it possible to compile samba without linking it to MIT while
> MIT is installed instead of heimdall.
> 
> Thanks in advance.
> Best regards,
> Dave.
> 
What does 'sudo net ads enctypes list host$ -UAdministrator' show ?

Rowland

Hi Rowland, thank you very much for your prompt reply

The output of the command says
'host$' uses "msDS-SupportedEncryptionTypes": 28 (0x0000001c)
[ ] 0x00000001 DES-CBC-CRC
[ ] 0x00000002 DES-CBC-MD5
[X] 0x00000004 RC4-HMAC
[X] 0x00000008 AES128-CTS-HMAC-SHA1-96
[X] 0x00000010 AES256-CTS-HMAC-SHA1-96
[ ] 0x00000020 AES256-CTS-HMAC-SHA1-96-SK
[ ] 0x00080000 RESOURCE-SID-COMPRESSION-DISABLED

Best regards,
Dave.

Sent with Proton Mail secure email.

On Friday, December 1st, 2023 at 14:34, Rowland Penny via samba <samba at
lists.samba.org> wrote:

> On Fri, 01 Dec 2023 16:23:37 +0000
> bd730c5053df9efb via samba samba at lists.samba.org wrote:
> 
> > Hello!
> > 
> > I'm trying to setup dovecot to do single sign on with a samba
4.18.9
> > DC on slackware 15.0 (in case the experimental mit thing we discussed
> > yesterday could be part of the issue) following
> >
https://wiki.samba.org/index.php/Authenticating_Dovecot_against_Active_Directory
> > and
> > https://doc.dovecot.org/configuration_manual/authentication/kerberos/
> > 
> > I executed the commands
> > samba-tool spn add imap/host.samdom.example.com dovecotuser
> > samba-tool domain exportkeytab --principal
> > imap/host.samdom.example.com /root/dovecot.keytab
> > 
> > but when I check the created keytab with the command
> > klist -Kek /etc/dovecot/dovecot.keytab the output is as follows
> > Keytab name: FILE:dovecot.keytab
> > KVNO Principal
> > ----
> >
--------------------------------------------------------------------------
> > 3 imap/host.samdom.example.com at EXAMPLE.COM
(DEPRECATED:arcfour-hmac)
> > (0x6a83392f4fe666aa7e4e14033ef54896)
> > 
> > I know I have tried this before in another slackware setup and I'm
> > postive the output of this command included other algorithms but I
> > don't have that environment available anymore to check samba's
or
> > slackware's version or the output of the command.
> > 
> > Is there a reason why I only get the arcfour-hmac encryption and not
> > any of the others I saw documented in the forementioned pages? Is
> > there something I can do to modify this without recompiling samba? If
> > not, Is it possible to compile samba without linking it to MIT while
> > MIT is installed instead of heimdall.
> > 
> > Thanks in advance.
> > Best regards,
> > Dave.
> 
> 
> What does 'sudo net ads enctypes list host$ -UAdministrator' show ?
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba