On Mon, 15 Sep 2025 15:14:39 -0400
Pat Suwalski via samba <samba at lists.samba.org> wrote:
> I have a mostly-Debian-12 deployment with a Samba AD, and a bunch of
> servers that use Samba+sssd to manage logins. All stock installs, so
> samba 4.17.12. This has been upgraded over the last 12 years or so,
> from when Samba 4 was new.
You appear to have missed the main upgrade to bookworm-backports, which
at present would get you Samba 4.22.3
Or you could upgrade the OS to Trixie and get 4.22.4
>
> A recent update shows this message when anyone tries to sudo:
>
> "Warning: encryption type arcfour-hmac used for authentication is
> deprecated and will be disabled"
>
> Time to upgrade to AES, I get it.
>
> Searching the internet for how to fix this there are a huge variety
> of very technical explanations that are impossible to understand or
> don't apply.
>
> I have read through this:
>
> https://www.samba.org/samba/security/CVE-2022-37966.html
>
> and have determined that "msDS-SupportedEncryptionTypes" is not
> defined as near as I can tell.
>
> Surely there is a cookie cutter, standard solution to fix this?
>
> Thanks,
> --Pat
>
Try reading this:
https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_active_directory_higher_security_tips.html
Rowland