Hello, guys. I?d like to upgrade our Samba 4.11 AD to 4.12. In release notes, REMOVED FEATURES, I see this: ?Retiring DES encryption types in Kerberos. ------------------------------------------ With this release, support for DES encryption types has been removed from Samba, and setting DES_ONLY flag for an account will cause Kerberos authentication to fail for that account (see RFC-6649).? In our network, we have some really ancient machines, which are SMB one only. These are CNC machines with some embedded Windows like 95, so upgrade of OS is impossible. While that machines communicate with fileserver, I can see this message in log.samba on DC: ? Auth: [NETLOGON,ServerAuthenticate] user [SVMETAL]\[TCL3030$] at [Mon, 05 Oct 2020 10:31:40.762795 CEST] with [DES] status [NT_STATUS_DOWNGRADE_DETECTED] workstation [(null)] remote host [ipv4:192.168.1.28:1076] mapped to [(null)]\[(null)]. local host [ipv4:192.168.1.1:139] NETLOGON computer [TCL3030] trust account [(null)]?. Does it mean, when I upgrade to Samba 4.12, that machine communications will be refused? So we have to stay (stuck) on Samba 4.11? Or is there possibility to go around this? Thank you for answer. Best regards Ji?? ?ern? System administrator +420 775 860 300 cerny at svmetal.cz helpdesk at svmetal.cz SV metal spol. s r.o. Divec 99 500 03 Hradec Kr?lov? Czech republic www.svmetal.cz
On 05/10/2020 09:49, Ji?? ?ern? via samba wrote:> Hello, guys. > > I?d like to upgrade our Samba 4.11 AD to 4.12. In release notes, > REMOVED FEATURES, I see this: > ?Retiring DES encryption types in Kerberos. > ------------------------------------------ > With this release, support for DES encryption types has been removed > from > Samba, and setting DES_ONLY flag for an account will cause Kerberos > authentication to fail for that account (see RFC-6649).? > > In our network, we have some really ancient machines, which are SMB one > only. These are CNC machines with some embedded Windows like 95, so > upgrade of OS is impossible. > While that machines communicate with fileserver, I can see this message > in log.samba on DC: > ? Auth: [NETLOGON,ServerAuthenticate] user [SVMETAL]\[TCL3030$] at > [Mon, 05 Oct 2020 10:31:40.762795 CEST] with [DES] status > [NT_STATUS_DOWNGRADE_DETECTED] workstation [(null)] remote host > [ipv4:192.168.1.28:1076] mapped to [(null)]\[(null)]. local host > [ipv4:192.168.1.1:139] NETLOGON computer [TCL3030] trust account > [(null)]?. > > Does it mean, when I upgrade to Samba 4.12, that machine communications > will be refused? > So we have to stay (stuck) on Samba 4.11? > Or is there possibility to go around this? >Stop me if I am wrong, but, from memory (long time since I saw a win95 machine), win9x never used kerberos, it only used lanman auth, so changes to kerberos shouldn't affect you. If it worked on 4.11.x, it should work on 4.12.x Rowland
On 05.10.20 11:26, Rowland penny via samba wrote:> Stop me if I am wrong, but, from memory (long time since I saw a win95 > machine), win9x never used kerberos, it only used lanman auth, so > changes to kerberos shouldn't affect you. If it worked on 4.11.x, it > should work on 4.12.xYou can install an optional Active Directory Service Client for win9x, but that only replaces lanman with NTLMv2, Kerberos is explicitly not supported. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20201005/789f9498/signature.sig>
On Mon, 2020-10-05 at 10:49 +0200, Ji?? ?ern? via samba wrote:> Hello, guys. > > I?d like to upgrade our Samba 4.11 AD to 4.12. In release notes, > REMOVED FEATURES, I see this: > ?Retiring DES encryption types in Kerberos. > ------------------------------------------ > With this release, support for DES encryption types has been removed > from > Samba, and setting DES_ONLY flag for an account will cause Kerberos > authentication to fail for that account (see RFC-6649).? > > In our network, we have some really ancient machines, which are SMB > one > only. These are CNC machines with some embedded Windows like 95, so > upgrade of OS is impossible. > While that machines communicate with fileserver, I can see this > message > in log.samba on DC: > ? Auth: [NETLOGON,ServerAuthenticate] user [SVMETAL]\[TCL3030$] at > [Mon, 05 Oct 2020 10:31:40.762795 CEST] with [DES] status > [NT_STATUS_DOWNGRADE_DETECTED] workstation [(null)] remote host > [ipv4:192.168.1.28:1076] mapped to [(null)]\[(null)]. local host > [ipv4:192.168.1.1:139] NETLOGON computer [TCL3030] trust account > [(null)]?. > > Does it mean, when I upgrade to Samba 4.12, that machine > communications > will be refused? > So we have to stay (stuck) on Samba 4.11? > Or is there possibility to go around this?This isn't Kerberos, but NETLOGON. There are parameters which allow DES authentication in NETLOGON, the one you want would be "allow nt4 crypto". However the default for that hasn't changed in years, so that won't be it. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Possibly Parallel Threads
- Upgrade to Samba 4.12 question
- winbind use default domain = yes doesn't work on Samba 4.13?
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND