Rowland Penny
2025-Feb-17 10:39 UTC
[Samba] samba with stronger enctypes (exportkeytab and kinit)
On Mon, 17 Feb 2025 11:20:28 +0100 Kacper Wirski via samba <samba at lists.samba.org> wrote:> Hello, > > I have issue with samba-tool domain exportkeytab command, that is > exporting keytab only with RC4 encryption, even though account > (--principal) in the command has msDS-SupportedEncryptionTypes": 24 > > so, only AES128 AND AES256, > > I can later add other encryption types to the keytab, but I think I > shouldn't have to, in the wiki section of samba in generating keytabs > it's stated that other enc types should be added. > > I checked acccount with "net ads enctypes list <accountname" and it > shows correctly, I tried resetting with "net ads enctypes > accountname" which sets, apart from aes128 and aes256, rc4, I > reexported with the same result. > > I've just recently updated to samba 4.17? ad dc on debian 11 from the > backports, with schema version 69 and domain level 2008_R2 (so the > max supported values for this samba version). I had the same behavior > in older, 4.13. > > > Also, on a similar note, I'm not sure if it's the same in newer samba > versions, but: > > - in 4.13 all tickets had TGT with RC4 and session key with RC4 > > - in 4.17 all tickets have TGT with RC4 and only session keys are now > encrypted with AES > > Is it expected behaviour, shouldn't TGT be also moved to AES, > especially with accounts that had explicitly stated > msDS-SupportedEncryptionTypes 24 (only AES)? > > It's both in windows and linux Etype (skey, tkt): > aes256-cts-hmac-sha1-96, DEPRECATED:arcfour-hmac) > > > On all samba AD DC's krb5.conf in /var/lib/samba/private has all the > default settings created during domain provision/join, secrets.keytab > used by the DC's have all 3 encryption types (RC4, AES128 and AES256). > > > As I said, I am planning to upgrade samba to newer versions in a near > future, but first I'm verifying if everything works fine from the > mid-upgrade from 4.13 -> 4.17 and I'm, not sure, if what I'm getting > is "expected" or something is off.I think you need to reset the krbtgt password as well. Rowland
Kees van Vloten
2025-Feb-17 10:44 UTC
[Samba] samba with stronger enctypes (exportkeytab and kinit)
Op 17-02-2025 om 11:39 schreef Rowland Penny via samba:> On Mon, 17 Feb 2025 11:20:28 +0100 > Kacper Wirski via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> I have issue with samba-tool domain exportkeytab command, that is >> exporting keytab only with RC4 encryption, even though account >> (--principal) in the command has msDS-SupportedEncryptionTypes": 24 >> >> so, only AES128 AND AES256, >> >> I can later add other encryption types to the keytab, but I think I >> shouldn't have to, in the wiki section of samba in generating keytabs >> it's stated that other enc types should be added. >> >> I checked acccount with "net ads enctypes list <accountname" and it >> shows correctly, I tried resetting with "net ads enctypes >> accountname" which sets, apart from aes128 and aes256, rc4, I >> reexported with the same result.There is a bug in some versions of samba where it keeps on adding the rc4 encryption type. It has been fixed in recent versions, I don't know exactly which one. - Kees.>> >> I've just recently updated to samba 4.17? ad dc on debian 11 from the >> backports, with schema version 69 and domain level 2008_R2 (so the >> max supported values for this samba version). I had the same behavior >> in older, 4.13. >> >> >> Also, on a similar note, I'm not sure if it's the same in newer samba >> versions, but: >> >> - in 4.13 all tickets had TGT with RC4 and session key with RC4 >> >> - in 4.17 all tickets have TGT with RC4 and only session keys are now >> encrypted with AES >> >> Is it expected behaviour, shouldn't TGT be also moved to AES, >> especially with accounts that had explicitly stated >> msDS-SupportedEncryptionTypes 24 (only AES)? >> >> It's both in windows and linux Etype (skey, tkt): >> aes256-cts-hmac-sha1-96, DEPRECATED:arcfour-hmac) >> >> >> On all samba AD DC's krb5.conf in /var/lib/samba/private has all the >> default settings created during domain provision/join, secrets.keytab >> used by the DC's have all 3 encryption types (RC4, AES128 and AES256). >> >> >> As I said, I am planning to upgrade samba to newer versions in a near >> future, but first I'm verifying if everything works fine from the >> mid-upgrade from 4.13 -> 4.17 and I'm, not sure, if what I'm getting >> is "expected" or something is off. > I think you need to reset the krbtgt password as well. > > Rowland > > >
Kacper Wirski
2025-Feb-17 10:54 UTC
[Samba] samba with stronger enctypes (exportkeytab and kinit)
Ok, follow-up question then, is the best way to do that as described here: https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_reset_krbtgt.html so? extracting 4.17? tarball and running the "chgkrbtgtpass" script? Regards, Kacper W dniu 17.02.2025 o?11:39, Rowland Penny via samba pisze:> On Mon, 17 Feb 2025 11:20:28 +0100 > Kacper Wirski via samba<samba at lists.samba.org> wrote: > >> Hello, >> >> I have issue with samba-tool domain exportkeytab command, that is >> exporting keytab only with RC4 encryption, even though account >> (--principal) in the command has msDS-SupportedEncryptionTypes": 24 >> >> so, only AES128 AND AES256, >> >> I can later add other encryption types to the keytab, but I think I >> shouldn't have to, in the wiki section of samba in generating keytabs >> it's stated that other enc types should be added. >> >> I checked acccount with "net ads enctypes list <accountname" and it >> shows correctly, I tried resetting with "net ads enctypes >> accountname" which sets, apart from aes128 and aes256, rc4, I >> reexported with the same result. >> >> I've just recently updated to samba 4.17? ad dc on debian 11 from the >> backports, with schema version 69 and domain level 2008_R2 (so the >> max supported values for this samba version). I had the same behavior >> in older, 4.13. >> >> >> Also, on a similar note, I'm not sure if it's the same in newer samba >> versions, but: >> >> - in 4.13 all tickets had TGT with RC4 and session key with RC4 >> >> - in 4.17 all tickets have TGT with RC4 and only session keys are now >> encrypted with AES >> >> Is it expected behaviour, shouldn't TGT be also moved to AES, >> especially with accounts that had explicitly stated >> msDS-SupportedEncryptionTypes 24 (only AES)? >> >> It's both in windows and linux Etype (skey, tkt): >> aes256-cts-hmac-sha1-96, DEPRECATED:arcfour-hmac) >> >> >> On all samba AD DC's krb5.conf in /var/lib/samba/private has all the >> default settings created during domain provision/join, secrets.keytab >> used by the DC's have all 3 encryption types (RC4, AES128 and AES256). >> >> >> As I said, I am planning to upgrade samba to newer versions in a near >> future, but first I'm verifying if everything works fine from the >> mid-upgrade from 4.13 -> 4.17 and I'm, not sure, if what I'm getting >> is "expected" or something is off. > I think you need to reset the krbtgt password as well. > > Rowland > > >-- Ta wiadomo?? e-mail zosta?a sprawdzona pod k?tem wirus?w przez oprogramowanie antywirusowe Avast. www.avast.com