Dear all, updating openssl from 1.1.x to 3.x on our gentoo systems (recompiled everything against the new openssl!) breaks kinit: kinit administrator at xxxx administrator at xxxx's Password: kinit: rc4 8: EVP_CipherInit_ex einit kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc dhcpduser at xxxx kinit: rc4 8: EVP_CipherInit_ex einit openssl list -cipher-algorithms | grep -i RC4 ? RC4 ? RC4-40 ? RC4-HMAC-MD5 unfortunately no solution found so far. Thanks in advance, Tibor -------------------------------------------------- DSI Aerospace GmbH Sitz der Gesellschaft: Otto-Lilienthal-Str. 1, D-28199 Bremen, Germany Web: http://www.dsi-as.de Geschaeftsfuehrer: Dr.-Ing. Christian Dierker M. Sc. Elias Hashem Handelsregister: HRB 17726, Amtsgericht Bremen Umsatzsteuer-Identifikationsnummer: DE 192 681 774 --------------------------------------------------
02.11.2023 18:04, MATYAS, Tibor via samba:> Dear all, > > updating openssl from 1.1.x to 3.x on our gentoo systems (recompiled everything against the new openssl!) > breaks kinit:FWIW, most distributions switched to openssl3 quite some time ago. Eg, current libssl in Debian is of version 3.0.11-1~deb12u1. You did not provide any other useful info. Two of the most important missing pieces: do you build samba with the recommended heimdal kerberos or mit-krb5? And what's your DC? /mjt
On Thu, 2023-11-02 at 16:04 +0100, MATYAS, Tibor via samba wrote:> Dear all, > > updating openssl from 1.1.x to 3.x on our gentoo systems (recompiled > everything against the new openssl!) > breaks kinit: > > kinit administrator at xxxx > administrator at xxxx's Password: > kinit: rc4 8: EVP_CipherInit_ex einit > > kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc > dhcpduser at xxxx > kinit: rc4 8: EVP_CipherInit_ex einit > > openssl list -cipher-algorithms | grep -i RC4 > RC4 > RC4-40 > RC4-HMAC-MD5 > unfortunately no solution found so far. > > Thanks in advance, Tibor >Try changing the administrator password so you get an AES key. Check you have updated your domain functional level to 2008R2 (the current default). Samba doesn't ship kinit, that is MIT Kerberos (most likely) which will be using OpenSSL for the crypto and may be restricted by the limitations against old crypto. It may also be possible to disable those limitations. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions