Masopust, Christian
2010-Aug-26 15:41 UTC
[Samba] Change of kerberos encryption from DES to AES
Hello all, as our Windows DCs will switch off DES encryption in the near future I have to change our Samba-Server to AES encryption. If I understand it correctly I have to change kerberos-configuration to new encryption type (aes256-cts-hmac-sha1-96) and then re-join my Samba-Server to the domain. Is this correct? Any other things to consider? Thanks a lot, Christian
On Thu, Aug 26, 2010 at 10:41 AM, Masopust, Christian <christian.masopust at siemens.com> wrote:> Hello all, > > as our Windows DCs will switch off DES encryption in the near future I > have to change our > Samba-Server to AES encryption. > > If I understand it correctly I have to change kerberos-configuration to > new encryption type > (aes256-cts-hmac-sha1-96) and then re-join my Samba-Server to the > domain. > > Is this correct? ?Any other things to consider? > > Thanks a lot, > Christian > > -- > To unsubscribe from this list go to the following URL and read the > instructions: ?https://lists.samba.org/mailman/options/samba >i don't know how helpful this will be, but i will need to do the same. i believe the samba server should generate the supported encryption types from AD. Not sure you have to manually change it, but the following blog posts i have found helpful. http://blogs.msdn.com/b/alextch/archive/tags/ad+interop/ This is one 2006 howto video on migrating from DES to RC4. http://blogs.msdn.com/b/alextch/archive/2006/07/18/MITtoADRC4.aspx