samba - Sep 2025 - RC4-HMAC.

Good afternoon,

On 2025-09-16 09:40, Rowland Penny via samba wrote:
>> Resetting my password using samba-tool on the DC still has it set to
>> 0. I assumed this would use modern hashing and update that field...
>>From my understanding, you need to set the computers
> msDS-SupportedEncryptionTypes attribute to '28' and get the
functional
> level to 2008 or above and then change the KRBTGT password and Samba
> provides a script for that. Download a samba tarball and unpack it, the
> script you require 'chgkrbtgtpass' is in source4/scripting/devel/.
I must still be missing something.

I bumped the level of the domain to 2008_R2:

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2

I reset the krbtgt password:

Unix username:        krbtgt
User SID:             S-1-5-21-2975800572-1361866626-3835100225-502
Primary Group SID:    S-1-5-21-2975800572-1361866626-3835100225-513
Password last set:    Tue, 16 Sep 2025 12:42:43 EDT
Password can change:  Tue, 16 Sep 2025 12:42:43 EDT

I connected a clean, new test VM with Debian Trixie (4.22), and it has 
the encryption types set correctly:

dn: CN=ADTEST,CN=Computers,DC=mydomain,DC=ca
msDS-SupportedEncryptionTypes: 28

I have reset my own user password after all of that.

I have left and rejoined a few times, clearing the krb cache files and 
sssd databases between, with reboots inbetween.

sudo authenticates my password, but still spits out:

"Warning: encryption type arcfour-hmac used for authentication is 
deprecated and will be disabled"

Is there anything obvious I'm missing at this point?

Thanks,
--Pat

On Tue, 16 Sep 2025 13:17:16 -0400
Pat Suwalski via samba <samba at lists.samba.org> wrote:
> Good afternoon,
> 
> On 2025-09-16 09:40, Rowland Penny via samba wrote:
> >> Resetting my password using samba-tool on the DC still has it set
> >> to 0. I assumed this would use modern hashing and update that
> >> field...
> >>From my understanding, you need to set the computers
> > msDS-SupportedEncryptionTypes attribute to '28' and get the
> > functional level to 2008 or above and then change the KRBTGT
> > password and Samba provides a script for that. Download a samba
> > tarball and unpack it, the script you require 'chgkrbtgtpass'
is in
> > source4/scripting/devel/.
> 
> I must still be missing something.
> 
> I bumped the level of the domain to 2008_R2:
> 
> Forest function level: (Windows) 2008 R2
> Domain function level: (Windows) 2008 R2
> Lowest function level of a DC: (Windows) 2008 R2
> 
> I reset the krbtgt password:
> 
> Unix username:        krbtgt
> User SID:             S-1-5-21-2975800572-1361866626-3835100225-502
> Primary Group SID:    S-1-5-21-2975800572-1361866626-3835100225-513
> Password last set:    Tue, 16 Sep 2025 12:42:43 EDT
> Password can change:  Tue, 16 Sep 2025 12:42:43 EDT
> 
> I connected a clean, new test VM with Debian Trixie (4.22), and it
> has the encryption types set correctly:
> 
> dn: CN=ADTEST,CN=Computers,DC=mydomain,DC=ca
> msDS-SupportedEncryptionTypes: 28
> 
> I have reset my own user password after all of that.
> 
> I have left and rejoined a few times, clearing the krb cache files
> and sssd databases between, with reboots inbetween.
> 
> sudo authenticates my password, but still spits out:
> 
> "Warning: encryption type arcfour-hmac used for authentication is 
> deprecated and will be disabled"
> 
> Is there anything obvious I'm missing at this point?
> 
There must be, but what I am unsure of.

If I run kinit and then 'klist -e', I get this:

Ticket cache: FILE:/tmp/krb5cc_11104
Default principal: rowland at SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
16/09/25 18:43:15  17/09/25 04:43:15  krbtgt/SAMDOM.EXAMPLE.COM at
SAMDOM.EXAMPLE.COM
	renew until 17/09/25 18:43:08, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96

As you can see, no RC4

My /etc/krb5.conf is the standard Samba one, no mention of any keys.

My big difference is that I do not use sssd, I just use Samba and
winbind everywhere.

Just what command produces that message ?

Rowland