On Mon, 15 Sep 2025 21:08:25 -0400 Pat Suwalski via samba <samba at lists.samba.org> wrote:> Hello, > > On 2025-09-15 16:03, Rowland Penny via samba wrote: > >> I have a mostly-Debian-12 deployment with a Samba AD, and a bunch > >> of servers that use Samba+sssd to manage logins. All stock > >> installs, so samba 4.17.12. This has been upgraded over the last > >> 12 years or so, from when Samba 4 was new. > > > > You appear to have missed the main upgrade to bookworm-backports, > > which at present would get you Samba 4.22.3 > > Or you could upgrade the OS to Trixie and get 4.22.4 > > The plan is to go to Trixie when we're ready with everything. Is > there any benefit to the problem I'm having right now to upgrade to > 4.22?Samba is a rapidly moving program and in my opinion, there are lots of benefits in running the latest version that you can.> > > > Try reading this: > > > > https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_active_directory_higher_security_tips.html > > This is informative, but it's still very technical. I don't > understand where RC4 comes into play, for this exact situation. The > article suggests changing the krb5.conf on the DC; but I don't see > how that would affect the clients. > > The Microsoft page linked in there states: > > "Once your domain functional level (DFL) is 2008 or higher, you > KRBTGT account will always default to AES encryption." > > My Samba domain says it's level 2003. Is that the actual issue here, > as to why it's not using AES? Is it safe, in an all-Samba > environment, to bump that to 2008 or 2012?That is very likely your problem and it looks like your domain was originally a Microsoft one, Samba from the start was higher, 2008R2. I am using 4.22.4 on Trixie (just upgraded from bookworm) and this my functional level: adminuser at dc01:~ $ sudo samba-tool domain level show Domain and forest function level for domain 'DC=samdom,DC=example,DC=com' Forest function level: (Windows) 2016 Domain function level: (Windows) 2016 Lowest function level of a DC: (Windows) 2016 My msDS-SupportedEncryptionTypes are all 28 Rowland
I don't know Your specific scenario, but in my case to go from RC4-HMAC, after updates to samba, I also had to reset krbtgt account password - "how-to" is explained in the linked earlier doc. wt., 16 wrz 2025, 07:53 u?ytkownik Rowland Penny via samba < samba at lists.samba.org> napisa?:> On Mon, 15 Sep 2025 21:08:25 -0400 > Pat Suwalski via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > On 2025-09-15 16:03, Rowland Penny via samba wrote: > > >> I have a mostly-Debian-12 deployment with a Samba AD, and a bunch > > >> of servers that use Samba+sssd to manage logins. All stock > > >> installs, so samba 4.17.12. This has been upgraded over the last > > >> 12 years or so, from when Samba 4 was new. > > > > > > You appear to have missed the main upgrade to bookworm-backports, > > > which at present would get you Samba 4.22.3 > > > Or you could upgrade the OS to Trixie and get 4.22.4 > > > > The plan is to go to Trixie when we're ready with everything. Is > > there any benefit to the problem I'm having right now to upgrade to > > 4.22? > > Samba is a rapidly moving program and in my opinion, there are lots of > benefits in running the latest version that you can. > > > > > > > > Try reading this: > > > > > > > https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_active_directory_higher_security_tips.html > > > > This is informative, but it's still very technical. I don't > > understand where RC4 comes into play, for this exact situation. The > > article suggests changing the krb5.conf on the DC; but I don't see > > how that would affect the clients. > > > > The Microsoft page linked in there states: > > > > "Once your domain functional level (DFL) is 2008 or higher, you > > KRBTGT account will always default to AES encryption." > > > > My Samba domain says it's level 2003. Is that the actual issue here, > > as to why it's not using AES? Is it safe, in an all-Samba > > environment, to bump that to 2008 or 2012? > > That is very likely your problem and it looks like your domain was > originally a Microsoft one, Samba from the start was higher, 2008R2. > > I am using 4.22.4 on Trixie (just upgraded from bookworm) and this my > functional level: > > adminuser at dc01:~ $ sudo samba-tool domain level show > Domain and forest function level for domain 'DC=samdom,DC=example,DC=com' > > Forest function level: (Windows) 2016 > Domain function level: (Windows) 2016 > Lowest function level of a DC: (Windows) 2016 > > My msDS-SupportedEncryptionTypes are all 28 > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 2025-09-16 01:52, Rowland Penny via samba wrote:>> "Once your domain functional level (DFL) is 2008 or higher, you >> KRBTGT account will always default to AES encryption." >> >> My Samba domain says it's level 2003. Is that the actual issue here, >> as to why it's not using AES? Is it safe, in an all-Samba >> environment, to bump that to 2008 or 2012? > > That is very likely your problem and it looks like your domain was > originally a Microsoft one, Samba from the start was higher, 2008R2.No, it was always Samba 4. "samba-tool domain level show" reports a bit of a mix: Forest function level: (Windows) 2003 Domain function level: (Windows) 2003 Lowest function level of a DC: (Windows) 2008 R2 The schema shows version 47, which aligns with 2008R2.> My msDS-SupportedEncryptionTypes are all 28And, if I may ask, how do you determine this? I can't find definitive documentation on that. My statement that it doesn't seem to be mentioned at all comes from examining the ldap dump, and not seeing it mentioned. But it's hard to prove a negative! Thanks, --Pat