On Tue, 16 Sep 2025 09:11:46 -0400
Pat Suwalski via samba <samba at lists.samba.org> wrote:
> On 2025-09-16 08:59, Rowland Penny via samba wrote:
> > When that is run on a Samba AD DC, it should show something like
> > this:
> >
> > dn: CN=TESTMEM1,CN=Computers,DC=samdom,DC=example,DC=com
> > msDS-SupportedEncryptionTypes: 28
> >
> > One for every domain joined computer.
> >
> > If you do not have any or any that are set to '0', then it
defaults
> > to RC4_HMAC_MD5.
>
> Fascinating. None of the Debian servers with samba show up in the
> list, only some actual Windows boxes that have accumulated over the
> years (28, 31).
>
> A bunch of user accounts in the there, including my own, have it set
> to 0.
I personally have never seen a user with the
msDS-SupportedEncryptionTypes attribute, but I suppose, seeing as a
computer is a user to AD, anything is possible.
>
> Resetting my password using samba-tool on the DC still has it set to
> 0. I assumed this would use modern hashing and update that field...
From my understanding, you need to set the computers
msDS-SupportedEncryptionTypes attribute to '28' and get the functional
level to 2008 or above and then change the KRBTGT password and Samba
provides a script for that. Download a samba tarball and unpack it, the
script you require 'chgkrbtgtpass' is in source4/scripting/devel/.
Rowland