On Tue, 16 Sep 2025 09:11:46 -0400 Pat Suwalski via samba <samba at lists.samba.org> wrote:> On 2025-09-16 08:59, Rowland Penny via samba wrote: > > When that is run on a Samba AD DC, it should show something like > > this: > > > > dn: CN=TESTMEM1,CN=Computers,DC=samdom,DC=example,DC=com > > msDS-SupportedEncryptionTypes: 28 > > > > One for every domain joined computer. > > > > If you do not have any or any that are set to '0', then it defaults > > to RC4_HMAC_MD5. > > Fascinating. None of the Debian servers with samba show up in the > list, only some actual Windows boxes that have accumulated over the > years (28, 31). > > A bunch of user accounts in the there, including my own, have it set > to 0.I personally have never seen a user with the msDS-SupportedEncryptionTypes attribute, but I suppose, seeing as a computer is a user to AD, anything is possible.> > Resetting my password using samba-tool on the DC still has it set to > 0. I assumed this would use modern hashing and update that field...From my understanding, you need to set the computers msDS-SupportedEncryptionTypes attribute to '28' and get the functional level to 2008 or above and then change the KRBTGT password and Samba provides a script for that. Download a samba tarball and unpack it, the script you require 'chgkrbtgtpass' is in source4/scripting/devel/. Rowland
Good afternoon, On 2025-09-16 09:40, Rowland Penny via samba wrote:>> Resetting my password using samba-tool on the DC still has it set to >> 0. I assumed this would use modern hashing and update that field... >>From my understanding, you need to set the computers > msDS-SupportedEncryptionTypes attribute to '28' and get the functional > level to 2008 or above and then change the KRBTGT password and Samba > provides a script for that. Download a samba tarball and unpack it, the > script you require 'chgkrbtgtpass' is in source4/scripting/devel/.I must still be missing something. I bumped the level of the domain to 2008_R2: Forest function level: (Windows) 2008 R2 Domain function level: (Windows) 2008 R2 Lowest function level of a DC: (Windows) 2008 R2 I reset the krbtgt password: Unix username: krbtgt User SID: S-1-5-21-2975800572-1361866626-3835100225-502 Primary Group SID: S-1-5-21-2975800572-1361866626-3835100225-513 Password last set: Tue, 16 Sep 2025 12:42:43 EDT Password can change: Tue, 16 Sep 2025 12:42:43 EDT I connected a clean, new test VM with Debian Trixie (4.22), and it has the encryption types set correctly: dn: CN=ADTEST,CN=Computers,DC=mydomain,DC=ca msDS-SupportedEncryptionTypes: 28 I have reset my own user password after all of that. I have left and rejoined a few times, clearing the krb cache files and sssd databases between, with reboots inbetween. sudo authenticates my password, but still spits out: "Warning: encryption type arcfour-hmac used for authentication is deprecated and will be disabled" Is there anything obvious I'm missing at this point? Thanks, --Pat