samba - Jun 2020 - Samba not providing the right encryption in Kerberos

Hi,

I have a domain with 3 DCs running 4.11.8. The database itself dates back to
Samba3 and has been gradually updates over the years.

When I check out a ticket I get the following results from klist -e

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user at OLDDOMAIN

Valid starting       Expires              Service principal
06/12/2020 23:25:04  06/13/2020 09:25:04  krbtgt/ OLDDOMAIN at OLDDOMAIN
        renew until 06/13/2020 23:25:00, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, arcfour-hmac


On a separate newly created domain I get tickets like this:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user at NEWDOMAIN

Valid starting       Expires              Service principal
06/12/2020 23:32:45  06/13/2020 09:32:45  krbtgt/ NEWDOMAIN at NEWDOMAIN
        renew until 06/13/2020 23:32:42, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

What must I do to change the ticket encryption for OLDDOMAIN? I've tried
using:

net ads enctypes set user 24

But that doesn't make a difference.

On Sat, 2020-06-13 at 06:41 +0000, Sebastian Lisic via samba
wrote:
> Hi,
> 
> I have a domain with 3 DCs running 4.11.8. The database itself dates
> back to Samba3 and has been gradually updates over the years.
I'm not sure why, but this probably doesn't have all the encryption
types for either the user or the krbtgt account.  Change the password
on both.  The user account the normal way, the krbtgt with
samba/source4/scripting/devel/chgkrbtgtpass

Be aware that this might unsettle the domain if replication is not
working smoothly, as we need to get the new krbtgt password to every DC
quickly.  Clients running will find their tickets not accepted until
they do a kinit again.

You might want to rotate the server accounts, they are rotated with 
samba/source4/scripting/devel/chgtdcpass.  In the server case we keep
the last password to allow old tickets to work.

Andrew Bartlett
-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba

That worked! 

Once I changed the TGT password the tickets started using the proper encryption.

Thanks for the fast response, Andrew!

During the 4.10 to 4.11 upgrade each DC was unjoined then rejoined to the
domain, so I assume they have all the encryption types.

-----Original Message-----
From: Andrew Bartlett <abartlet at samba.org> 
Sent: Saturday, June 13, 2020 12:22 AM
To: Sebastian Lisic <lisic at uw.edu>; 'samba at lists.samba.org'
<samba at lists.samba.org>
Subject: Re: [Samba] Samba not providing the right encryption in Kerberos

On Sat, 2020-06-13 at 06:41 +0000, Sebastian Lisic via samba
wrote:
> Hi,
> 
> I have a domain with 3 DCs running 4.11.8. The database itself dates 
> back to Samba3 and has been gradually updates over the years.
I'm not sure why, but this probably doesn't have all the encryption
types for either the user or the krbtgt account.  Change the password on both. 
The user account the normal way, the krbtgt with
samba/source4/scripting/devel/chgkrbtgtpass

Be aware that this might unsettle the domain if replication is not working
smoothly, as we need to get the new krbtgt password to every DC quickly. 
Clients running will find their tickets not accepted until they do a kinit
again.

You might want to rotate the server accounts, they are rotated with
samba/source4/scripting/devel/chgtdcpass.  In the server case we keep the last
password to allow old tickets to work.

Andrew Bartlett
-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba