samba - Nov 2023 - Updating OpenSSL from 1.x to 3 breaks kinit

Dear all,

updating openssl from 1.1.x to 3.x on our gentoo systems (recompiled 
everything against the new openssl!)
breaks kinit:

kinit administrator at xxxx
administrator at xxxx's Password:
kinit: rc4 8: EVP_CipherInit_ex einit

kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc dhcpduser at xxxx
kinit: rc4 8: EVP_CipherInit_ex einit

openssl list -cipher-algorithms | grep -i RC4
 ? RC4
 ? RC4-40
 ? RC4-HMAC-MD5
unfortunately no solution found so far.

Thanks in advance, Tibor





--------------------------------------------------
DSI Aerospace GmbH

Sitz der Gesellschaft: Otto-Lilienthal-Str. 1, D-28199 Bremen, Germany
Web: http://www.dsi-as.de

Geschaeftsfuehrer: Dr.-Ing. Christian Dierker
                   M. Sc. Elias Hashem

Handelsregister: HRB 17726, Amtsgericht Bremen
Umsatzsteuer-Identifikationsnummer: DE 192 681 774
--------------------------------------------------

02.11.2023 18:04, MATYAS, Tibor via samba:
> Dear all,
> 
> updating openssl from 1.1.x to 3.x on our gentoo systems (recompiled
everything against the new openssl!)
> breaks kinit:
FWIW, most distributions switched to openssl3 quite some time ago.
Eg, current libssl in Debian is of version 3.0.11-1~deb12u1.

You did not provide any other useful info.  Two of the most important
missing pieces: do you build samba with the recommended heimdal kerberos
or mit-krb5?  And what's your DC?

/mjt

On Thu, 2023-11-02 at 16:04 +0100, MATYAS, Tibor via samba
wrote:
> Dear all,
> 
> updating openssl from 1.1.x to 3.x on our gentoo systems (recompiled 
> everything against the new openssl!)
> breaks kinit:
> 
> kinit administrator at xxxx
> administrator at xxxx's Password:
> kinit: rc4 8: EVP_CipherInit_ex einit
> 
> kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc 
> dhcpduser at xxxx
> kinit: rc4 8: EVP_CipherInit_ex einit
> 
> openssl list -cipher-algorithms | grep -i RC4
>    RC4
>    RC4-40
>    RC4-HMAC-MD5
> unfortunately no solution found so far.
> 
> Thanks in advance, Tibor
> 
Try changing the administrator password so you get an AES key.  Check
you have updated your domain functional level to 2008R2 (the current
default). 

Samba doesn't ship kinit, that is MIT Kerberos (most likely) which will
be using OpenSSL for the crypto and may be restricted by the
limitations against old crypto.  It may also be possible to disable
those limitations.

Andrew Bartlett


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions