thr3ads.net - samba - [Samba] RC4-HMAC. [Sep 2025]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2025-Sep-15 20:03 UTC

[Samba] RC4-HMAC.

On Mon, 15 Sep 2025 15:14:39 -0400
Pat Suwalski via samba <samba at lists.samba.org> wrote:
> I have a mostly-Debian-12 deployment with a Samba AD, and a bunch of 
> servers that use Samba+sssd to manage logins. All stock installs, so 
> samba 4.17.12. This has been upgraded over the last 12 years or so,
> from when Samba 4 was new.
You appear to have missed the main upgrade to bookworm-backports, which
at present would get you Samba 4.22.3
Or you could upgrade the OS to Trixie and get 4.22.4

> 
> A recent update shows this message when anyone tries to sudo:
> 
>    "Warning: encryption type arcfour-hmac used for authentication is 
> deprecated and will be disabled"
> 
> Time to upgrade to AES, I get it.
> 
> Searching the internet for how to fix this there are a huge variety
> of very technical explanations that are impossible to understand or
> don't apply.
> 
> I have read through this:
> 
>    https://www.samba.org/samba/security/CVE-2022-37966.html
> 
> and have determined that "msDS-SupportedEncryptionTypes" is not
> defined as near as I can tell.
> 
> Surely there is a cookie cutter, standard solution to fix this?
> 
> Thanks,
> --Pat
> 
Try reading this:

https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_active_directory_higher_security_tips.html

Rowland

Pat Suwalski

2025-Sep-16 01:08 UTC

head link

[Samba] RC4-HMAC.

Hello,

On 2025-09-15 16:03, Rowland Penny via samba wrote:>> I have a mostly-Debian-12 deployment with a Samba AD, and a bunch of
>> servers that use Samba+sssd to manage logins. All stock installs, so
>> samba 4.17.12. This has been upgraded over the last 12 years or so,
>> from when Samba 4 was new.
> 
> You appear to have missed the main upgrade to bookworm-backports, which
> at present would get you Samba 4.22.3
> Or you could upgrade the OS to Trixie and get 4.22.4
The plan is to go to Trixie when we're ready with everything. Is there 
any benefit to the problem I'm having right now to upgrade to 4.22?

> Try reading this:
> 
>
https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_active_directory_higher_security_tips.html
This is informative, but it's still very technical. I don't understand 
where RC4 comes into play, for this exact situation. The article 
suggests changing the krb5.conf on the DC; but I don't see how that 
would affect the clients.

The Microsoft page linked in there states:

"Once your domain functional level (DFL) is 2008 or higher, you KRBTGT 
account will always default to AES encryption."

My Samba domain says it's level 2003. Is that the actual issue here, as 
to why it's not using AES? Is it safe, in an all-Samba environment, to 
bump that to 2008 or 2012?

Thanks for following up,
--Pat

samba - Sep 2025 - RC4-HMAC.

[Samba] RC4-HMAC.

[Samba] RC4-HMAC.