samba - Feb 2025 - samba with stronger enctypes (exportkeytab and kinit)

On Mon, 17 Feb 2025 11:20:28 +0100
Kacper Wirski via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I have issue with samba-tool domain exportkeytab command, that is 
> exporting keytab only with RC4 encryption, even though account 
> (--principal) in the command has msDS-SupportedEncryptionTypes": 24
> 
> so, only AES128 AND AES256,
> 
> I can later add other encryption types to the keytab, but I think I 
> shouldn't have to, in the wiki section of samba in generating keytabs 
> it's stated that other enc types should be added.
> 
> I checked acccount with "net ads enctypes list <accountname"
and it
> shows correctly, I tried resetting with "net ads enctypes
> accountname" which sets, apart from aes128 and aes256, rc4, I
> reexported with the same result.
> 
> I've just recently updated to samba 4.17? ad dc on debian 11 from the 
> backports, with schema version 69 and domain level 2008_R2 (so the
> max supported values for this samba version). I had the same behavior
> in older, 4.13.
> 
> 
> Also, on a similar note, I'm not sure if it's the same in newer
samba
> versions, but:
> 
> - in 4.13 all tickets had TGT with RC4 and session key with RC4
> 
> - in 4.17 all tickets have TGT with RC4 and only session keys are now 
> encrypted with AES
> 
> Is it expected behaviour, shouldn't TGT be also moved to AES,
> especially with accounts that had explicitly stated
> msDS-SupportedEncryptionTypes 24 (only AES)?
> 
> It's both in windows and linux Etype (skey, tkt): 
> aes256-cts-hmac-sha1-96, DEPRECATED:arcfour-hmac)
> 
> 
> On all samba AD DC's krb5.conf in /var/lib/samba/private has all the 
> default settings created during domain provision/join, secrets.keytab 
> used by the DC's have all 3 encryption types (RC4, AES128 and AES256).
> 
> 
> As I said, I am planning to upgrade samba to newer versions in a near 
> future, but first I'm verifying if everything works fine from the 
> mid-upgrade from 4.13 -> 4.17 and I'm, not sure, if what I'm
getting
> is "expected" or something is off.
I think you need to reset the krbtgt password as well.

Rowland

Op 17-02-2025 om 11:39 schreef Rowland Penny via samba:
> On Mon, 17 Feb 2025 11:20:28 +0100
> Kacper Wirski via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> I have issue with samba-tool domain exportkeytab command, that is
>> exporting keytab only with RC4 encryption, even though account
>> (--principal) in the command has msDS-SupportedEncryptionTypes":
24
>>
>> so, only AES128 AND AES256,
>>
>> I can later add other encryption types to the keytab, but I think I
>> shouldn't have to, in the wiki section of samba in generating
keytabs
>> it's stated that other enc types should be added.
>>
>> I checked acccount with "net ads enctypes list
<accountname" and it
>> shows correctly, I tried resetting with "net ads enctypes
>> accountname" which sets, apart from aes128 and aes256, rc4, I
>> reexported with the same result.
There is a bug in some versions of samba where it keeps on adding the 
rc4 encryption type. It has been fixed in recent versions, I don't know 
exactly which one.


- Kees.
>>
>> I've just recently updated to samba 4.17? ad dc on debian 11 from
the
>> backports, with schema version 69 and domain level 2008_R2 (so the
>> max supported values for this samba version). I had the same behavior
>> in older, 4.13.
>>
>>
>> Also, on a similar note, I'm not sure if it's the same in newer
samba
>> versions, but:
>>
>> - in 4.13 all tickets had TGT with RC4 and session key with RC4
>>
>> - in 4.17 all tickets have TGT with RC4 and only session keys are now
>> encrypted with AES
>>
>> Is it expected behaviour, shouldn't TGT be also moved to AES,
>> especially with accounts that had explicitly stated
>> msDS-SupportedEncryptionTypes 24 (only AES)?
>>
>> It's both in windows and linux Etype (skey, tkt):
>> aes256-cts-hmac-sha1-96, DEPRECATED:arcfour-hmac)
>>
>>
>> On all samba AD DC's krb5.conf in /var/lib/samba/private has all
the
>> default settings created during domain provision/join, secrets.keytab
>> used by the DC's have all 3 encryption types (RC4, AES128 and
AES256).
>>
>>
>> As I said, I am planning to upgrade samba to newer versions in a near
>> future, but first I'm verifying if everything works fine from the
>> mid-upgrade from 4.13 -> 4.17 and I'm, not sure, if what I'm
getting
>> is "expected" or something is off.
> I think you need to reset the krbtgt password as well.
>
> Rowland
>
>
>

Ok, follow-up question then, is the best way to do that as described here:

https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_reset_krbtgt.html 


so? extracting 4.17? tarball and running the "chgkrbtgtpass" script?

Regards,

Kacper

W dniu 17.02.2025 o?11:39, Rowland Penny via samba
pisze:
> On Mon, 17 Feb 2025 11:20:28 +0100
> Kacper Wirski via samba<samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> I have issue with samba-tool domain exportkeytab command, that is
>> exporting keytab only with RC4 encryption, even though account
>> (--principal) in the command has msDS-SupportedEncryptionTypes":
24
>>
>> so, only AES128 AND AES256,
>>
>> I can later add other encryption types to the keytab, but I think I
>> shouldn't have to, in the wiki section of samba in generating
keytabs
>> it's stated that other enc types should be added.
>>
>> I checked acccount with "net ads enctypes list
<accountname" and it
>> shows correctly, I tried resetting with "net ads enctypes
>> accountname" which sets, apart from aes128 and aes256, rc4, I
>> reexported with the same result.
>>
>> I've just recently updated to samba 4.17? ad dc on debian 11 from
the
>> backports, with schema version 69 and domain level 2008_R2 (so the
>> max supported values for this samba version). I had the same behavior
>> in older, 4.13.
>>
>>
>> Also, on a similar note, I'm not sure if it's the same in newer
samba
>> versions, but:
>>
>> - in 4.13 all tickets had TGT with RC4 and session key with RC4
>>
>> - in 4.17 all tickets have TGT with RC4 and only session keys are now
>> encrypted with AES
>>
>> Is it expected behaviour, shouldn't TGT be also moved to AES,
>> especially with accounts that had explicitly stated
>> msDS-SupportedEncryptionTypes 24 (only AES)?
>>
>> It's both in windows and linux Etype (skey, tkt):
>> aes256-cts-hmac-sha1-96, DEPRECATED:arcfour-hmac)
>>
>>
>> On all samba AD DC's krb5.conf in /var/lib/samba/private has all
the
>> default settings created during domain provision/join, secrets.keytab
>> used by the DC's have all 3 encryption types (RC4, AES128 and
AES256).
>>
>>
>> As I said, I am planning to upgrade samba to newer versions in a near
>> future, but first I'm verifying if everything works fine from the
>> mid-upgrade from 4.13 -> 4.17 and I'm, not sure, if what I'm
getting
>> is "expected" or something is off.
> I think you need to reset the krbtgt password as well.
>
> Rowland
>
>
>
-- 
Ta wiadomo?? e-mail zosta?a sprawdzona pod k?tem wirus?w przez oprogramowanie
antywirusowe Avast.
www.avast.com