On Tue, 16 Sep 2025 08:42:26 -0400
Pat Suwalski via samba <samba at lists.samba.org> wrote:
> On 2025-09-16 01:52, Rowland Penny via samba wrote:
> >> "Once your domain functional level (DFL) is 2008 or higher,
you
> >> KRBTGT account will always default to AES encryption."
> >>
> >> My Samba domain says it's level 2003. Is that the actual issue
> >> here, as to why it's not using AES? Is it safe, in an
all-Samba
> >> environment, to bump that to 2008 or 2012?
> >
> > That is very likely your problem and it looks like your domain was
> > originally a Microsoft one, Samba from the start was higher, 2008R2.
>
> No, it was always Samba 4. "samba-tool domain level show" reports
a
> bit of a mix:
>
> Forest function level: (Windows) 2003
> Domain function level: (Windows) 2003
> Lowest function level of a DC: (Windows) 2008 R2
>
> The schema shows version 47, which aligns with 2008R2.
>
> > My msDS-SupportedEncryptionTypes are all 28
>
> And, if I may ask, how do you determine this? I can't find definitive
> documentation on that. My statement that it doesn't seem to be
> mentioned at all comes from examining the ldap dump, and not seeing
> it mentioned. But it's hard to prove a negative!
>
> Thanks,
> --Pat
>
Every computer in an AD domain should have an
msDS-SupportedEncryptionTypes attribute, which you can find with:
sudo ldbsearch -H /var/lib/samba/private/sam.ldb
'(msDS-SupportedEncryptionTypes=*)' msDS-SupportedEncryptionTypes
When that is run on a Samba AD DC, it should show something like this:
dn: CN=TESTMEM1,CN=Computers,DC=samdom,DC=example,DC=com
msDS-SupportedEncryptionTypes: 28
One for every domain joined computer.
If you do not have any or any that are set to '0', then it defaults to
RC4_HMAC_MD5.
Rowland