samba - Sep 2025 - RC4-HMAC.

Hello,

On 2025-09-15 16:03, Rowland Penny via samba wrote:
>> I have a mostly-Debian-12 deployment with a Samba AD, and a bunch of
>> servers that use Samba+sssd to manage logins. All stock installs, so
>> samba 4.17.12. This has been upgraded over the last 12 years or so,
>> from when Samba 4 was new.
> 
> You appear to have missed the main upgrade to bookworm-backports, which
> at present would get you Samba 4.22.3
> Or you could upgrade the OS to Trixie and get 4.22.4
The plan is to go to Trixie when we're ready with everything. Is there 
any benefit to the problem I'm having right now to upgrade to 4.22?

> Try reading this:
> 
>
https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_active_directory_higher_security_tips.html
This is informative, but it's still very technical. I don't understand 
where RC4 comes into play, for this exact situation. The article 
suggests changing the krb5.conf on the DC; but I don't see how that 
would affect the clients.

The Microsoft page linked in there states:

"Once your domain functional level (DFL) is 2008 or higher, you KRBTGT 
account will always default to AES encryption."

My Samba domain says it's level 2003. Is that the actual issue here, as 
to why it's not using AES? Is it safe, in an all-Samba environment, to 
bump that to 2008 or 2012?

Thanks for following up,
--Pat

On Mon, 15 Sep 2025 21:08:25 -0400
Pat Suwalski via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> On 2025-09-15 16:03, Rowland Penny via samba wrote:
> >> I have a mostly-Debian-12 deployment with a Samba AD, and a bunch
> >> of servers that use Samba+sssd to manage logins. All stock
> >> installs, so samba 4.17.12. This has been upgraded over the last
> >> 12 years or so, from when Samba 4 was new.
> > 
> > You appear to have missed the main upgrade to bookworm-backports,
> > which at present would get you Samba 4.22.3
> > Or you could upgrade the OS to Trixie and get 4.22.4
> 
> The plan is to go to Trixie when we're ready with everything. Is
> there any benefit to the problem I'm having right now to upgrade to
> 4.22?
Samba is a rapidly moving program and in my opinion, there are lots of
benefits in running the latest version that you can.
> 
> 
> > Try reading this:
> > 
> >
https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_active_directory_higher_security_tips.html
> 
> This is informative, but it's still very technical. I don't
> understand where RC4 comes into play, for this exact situation. The
> article suggests changing the krb5.conf on the DC; but I don't see
> how that would affect the clients.
> 
> The Microsoft page linked in there states:
> 
> "Once your domain functional level (DFL) is 2008 or higher, you
> KRBTGT account will always default to AES encryption."
> 
> My Samba domain says it's level 2003. Is that the actual issue here,
> as to why it's not using AES? Is it safe, in an all-Samba
> environment, to bump that to 2008 or 2012?
That is very likely your problem and it looks like your domain was
originally a Microsoft one, Samba from the start was higher, 2008R2.

I am using 4.22.4 on Trixie (just upgraded from bookworm) and this my
functional level:

adminuser at dc01:~ $ sudo samba-tool domain level show
Domain and forest function level for domain
'DC=samdom,DC=example,DC=com'

Forest function level: (Windows) 2016
Domain function level: (Windows) 2016
Lowest function level of a DC: (Windows) 2016

My msDS-SupportedEncryptionTypes are all 28

Rowland