Sebastian Lisic
2020-Jun-13 06:41 UTC
[Samba] Samba not providing the right encryption in Kerberos
Hi, I have a domain with 3 DCs running 4.11.8. The database itself dates back to Samba3 and has been gradually updates over the years. When I check out a ticket I get the following results from klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: user at OLDDOMAIN Valid starting Expires Service principal 06/12/2020 23:25:04 06/13/2020 09:25:04 krbtgt/ OLDDOMAIN at OLDDOMAIN renew until 06/13/2020 23:25:00, Etype (skey, tkt): aes256-cts-hmac-sha1-96, arcfour-hmac On a separate newly created domain I get tickets like this: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: user at NEWDOMAIN Valid starting Expires Service principal 06/12/2020 23:32:45 06/13/2020 09:32:45 krbtgt/ NEWDOMAIN at NEWDOMAIN renew until 06/13/2020 23:32:42, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 What must I do to change the ticket encryption for OLDDOMAIN? I've tried using: net ads enctypes set user 24 But that doesn't make a difference.
Andrew Bartlett
2020-Jun-13 07:21 UTC
[Samba] Samba not providing the right encryption in Kerberos
On Sat, 2020-06-13 at 06:41 +0000, Sebastian Lisic via samba wrote:> Hi, > > I have a domain with 3 DCs running 4.11.8. The database itself dates > back to Samba3 and has been gradually updates over the years.I'm not sure why, but this probably doesn't have all the encryption types for either the user or the krbtgt account. Change the password on both. The user account the normal way, the krbtgt with samba/source4/scripting/devel/chgkrbtgtpass Be aware that this might unsettle the domain if replication is not working smoothly, as we need to get the new krbtgt password to every DC quickly. Clients running will find their tickets not accepted until they do a kinit again. You might want to rotate the server accounts, they are rotated with samba/source4/scripting/devel/chgtdcpass. In the server case we keep the last password to allow old tickets to work. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Sebastian Lisic
2020-Jun-13 10:22 UTC
[Samba] Samba not providing the right encryption in Kerberos
That worked! Once I changed the TGT password the tickets started using the proper encryption. Thanks for the fast response, Andrew! During the 4.10 to 4.11 upgrade each DC was unjoined then rejoined to the domain, so I assume they have all the encryption types. -----Original Message----- From: Andrew Bartlett <abartlet at samba.org> Sent: Saturday, June 13, 2020 12:22 AM To: Sebastian Lisic <lisic at uw.edu>; 'samba at lists.samba.org' <samba at lists.samba.org> Subject: Re: [Samba] Samba not providing the right encryption in Kerberos On Sat, 2020-06-13 at 06:41 +0000, Sebastian Lisic via samba wrote:> Hi, > > I have a domain with 3 DCs running 4.11.8. The database itself dates > back to Samba3 and has been gradually updates over the years.I'm not sure why, but this probably doesn't have all the encryption types for either the user or the krbtgt account. Change the password on both. The user account the normal way, the krbtgt with samba/source4/scripting/devel/chgkrbtgtpass Be aware that this might unsettle the domain if replication is not working smoothly, as we need to get the new krbtgt password to every DC quickly. Clients running will find their tickets not accepted until they do a kinit again. You might want to rotate the server accounts, they are rotated with samba/source4/scripting/devel/chgtdcpass. In the server case we keep the last password to allow old tickets to work. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba