samba - Sep 2025 - RC4-HMAC.

On 2025-09-16 13:54, Rowland Penny via samba wrote:
> If I run kinit and then 'klist -e', I get this:
> 
> Ticket cache:FILE:/tmp/krb5cc_11104
> Default principal:rowland at SAMDOM.EXAMPLE.COM
> 
> Valid starting     Expires            Service principal
> 16/09/25 18:43:15  17/09/25 04:43:15krbtgt/SAMDOM.EXAMPLE.COM at
SAMDOM.EXAMPLE.COM
> 	renew until 17/09/25 18:43:08, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
My output is just how you might expect it:

Ticket cache: FILE:/tmp/krb5cc_10000
Default principal: pats at MYDOMAIN.CA

Valid starting       Expires              Service principal
09/16/2025 16:10:52  09/17/2025 02:10:52  krbtgt/MYDOMAIN.CA at MYDOMAIN.CA
	renew until 09/17/2025 16:10:49, Etype (skey, tkt): 
DEPRECATED:arcfour-hmac, DEPRECATED:arcfour-hmac

This suggests to me the problem is not in sssd.

--Pat

On 2025-09-16 16:18, Pat Suwalski via samba wrote:
> This suggests to me the problem is not in sssd.
Okay, I figured it out.

Based on reading elsewhere, I added the following lines to [libdefaults] 
in krb.conf:

     default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
     permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

Then, when I did the kinit, kerberos explicitly told me that it couldn't 
find an encryption scheme that worked.

Scratching my head, I decided to go on the samba server and 'service 
samba-ad-dc restart'.

Yep, that was the fix. After updating to the 2008_R2 level (and maybe 
redoing the krbtgt hash), it just needed a restart.

Last question:

After a change like this, do I have to leave and join the domain on each 
of the servers making use of the AD, or can their settings/keytabs be 
updated somehow?

Many thanks,
--Pat