samba - Feb 2025 - samba with stronger enctypes (exportkeytab and kinit)

Hello,

I have issue with samba-tool domain exportkeytab command, that is 
exporting keytab only with RC4 encryption, even though account 
(--principal) in the command has msDS-SupportedEncryptionTypes": 24

so, only AES128 AND AES256,

I can later add other encryption types to the keytab, but I think I 
shouldn't have to, in the wiki section of samba in generating keytabs 
it's stated that other enc types should be added.

I checked acccount with "net ads enctypes list <accountname" and it
shows correctly, I tried resetting with "net ads enctypes accountname"
which sets, apart from aes128 and aes256, rc4, I reexported with the 
same result.

I've just recently updated to samba 4.17? ad dc on debian 11 from the 
backports, with schema version 69 and domain level 2008_R2 (so the max 
supported values for this samba version). I had the same behavior in 
older, 4.13.


Also, on a similar note, I'm not sure if it's the same in newer samba 
versions, but:

- in 4.13 all tickets had TGT with RC4 and session key with RC4

- in 4.17 all tickets have TGT with RC4 and only session keys are now 
encrypted with AES

Is it expected behaviour, shouldn't TGT be also moved to AES, especially 
with accounts that had explicitly stated msDS-SupportedEncryptionTypes 
24 (only AES)?

It's both in windows and linux Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, DEPRECATED:arcfour-hmac)


On all samba AD DC's krb5.conf in /var/lib/samba/private has all the 
default settings created during domain provision/join, secrets.keytab 
used by the DC's have all 3 encryption types (RC4, AES128 and AES256).


As I said, I am planning to upgrade samba to newer versions in a near 
future, but first I'm verifying if everything works fine from the 
mid-upgrade from 4.13 -> 4.17 and I'm, not sure, if what I'm getting
is
"expected" or something is off.


Regards,

Kacper



-- 
Ta wiadomo?? e-mail zosta?a sprawdzona pod k?tem wirus?w przez oprogramowanie
antywirusowe Avast.
www.avast.com

On Mon, 17 Feb 2025 11:20:28 +0100
Kacper Wirski via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I have issue with samba-tool domain exportkeytab command, that is 
> exporting keytab only with RC4 encryption, even though account 
> (--principal) in the command has msDS-SupportedEncryptionTypes": 24
> 
> so, only AES128 AND AES256,
> 
> I can later add other encryption types to the keytab, but I think I 
> shouldn't have to, in the wiki section of samba in generating keytabs 
> it's stated that other enc types should be added.
> 
> I checked acccount with "net ads enctypes list <accountname"
and it
> shows correctly, I tried resetting with "net ads enctypes
> accountname" which sets, apart from aes128 and aes256, rc4, I
> reexported with the same result.
> 
> I've just recently updated to samba 4.17? ad dc on debian 11 from the 
> backports, with schema version 69 and domain level 2008_R2 (so the
> max supported values for this samba version). I had the same behavior
> in older, 4.13.
> 
> 
> Also, on a similar note, I'm not sure if it's the same in newer
samba
> versions, but:
> 
> - in 4.13 all tickets had TGT with RC4 and session key with RC4
> 
> - in 4.17 all tickets have TGT with RC4 and only session keys are now 
> encrypted with AES
> 
> Is it expected behaviour, shouldn't TGT be also moved to AES,
> especially with accounts that had explicitly stated
> msDS-SupportedEncryptionTypes 24 (only AES)?
> 
> It's both in windows and linux Etype (skey, tkt): 
> aes256-cts-hmac-sha1-96, DEPRECATED:arcfour-hmac)
> 
> 
> On all samba AD DC's krb5.conf in /var/lib/samba/private has all the 
> default settings created during domain provision/join, secrets.keytab 
> used by the DC's have all 3 encryption types (RC4, AES128 and AES256).
> 
> 
> As I said, I am planning to upgrade samba to newer versions in a near 
> future, but first I'm verifying if everything works fine from the 
> mid-upgrade from 4.13 -> 4.17 and I'm, not sure, if what I'm
getting
> is "expected" or something is off.
I think you need to reset the krbtgt password as well.

Rowland