search for: arcfour

Hi, I’ve been running a samba 4 DC for quite some time now, and while testing some kerberos related stuff, I noticed that all kerberos tickets I can get from the DC are of encryption type ?arcfour-hmac-md5“: # kinit testuser1 testuser1 at S4DOM.TEST's Password: # klist -v Credentials cache: FILE:/tmp/krb5cc_0 Ticket etype: arcfour-hmac-md5, kvno 1 I can create keytabs containing aes128/aes256 keys (besides the arcfour ones), but if I’m trying to use them (e.g. for NFS client/ser...

...---------------- 1 HOST/samba4 at FSS.LAN (des-cbc-crc) 1 HOST/samba4.fss.lan at FSS.LAN (des-cbc-crc) 1 SAMBA4$@FSS.LAN (des-cbc-crc) 1 HOST/samba4 at FSS.LAN (des-cbc-md5) 1 HOST/samba4.fss.lan at FSS.LAN (des-cbc-md5) 1 SAMBA4$@FSS.LAN (des-cbc-md5) 1 HOST/samba4 at FSS.LAN (arcfour-hmac) 1 HOST/samba4.fss.lan at FSS.LAN (arcfour-hmac) 1 SAMBA4$@FSS.LAN (arcfour-hmac) 1 HOST/samba4 at FSS.LAN (aes128-cts-hmac-sha1-96) 1 HOST/samba4.fss.lan at FSS.LAN (aes128-cts-hmac-sha1-96) 1 SAMBA4$@FSS.LAN (aes128-cts-hmac-sha1-96) 1 HOST/samba4 at FSS.LAN (aes256-cts-hma...

...rt with. klist -ke |sort ( default member ) ---- -------------------------------------------------------------------------- 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (arcfour-hmac) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-crc) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-md5) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 3 host/hostn...

Luis, ok I'v removed everything, step 1: KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P klist -ke /etc/krb5.keytab2|grep 7|sort 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP...

Hi Trever, things improved after resetting user/machine passwords, however only the session key is using aes256 now, the ticket itself is still arcfour: root at ubuntu1:~# kinit user09999 user09999 at S4DOM.TEST's Password: root at ubuntu1:~# klist -v Credentials cache: FILE:/tmp/krb5cc_0 Principal: user09999 at S4DOM.TEST Cache version: 4 Server: krbtgt/S4DOM.TEST at S4DOM.TEST Client: user09999 at S4DOM.TEST Ticket etype: arcf...

On 08/18/2015 02:28 PM, Ritter, Marcel (RRZE) wrote: > Hi, > > I’ve been running a samba 4 DC for quite some time now, and while testing some kerberos related stuff, I noticed that all kerberos tickets I can get from the DC are of encryption type ?arcfour-hmac-md5“: > > # kinit testuser1 > testuser1 at S4DOM.TEST's Password: > > # klist -v > Credentials cache: FILE:/tmp/krb5cc_0 > Ticket etype: arcfour-hmac-md5, kvno 1 > > I can create keytabs containing aes128/aes256 keys (besides the arcfour ones), but if I’m t...

Hi, In order to try out the 1.9.18alpha12 version, I need access to the arcfour routines. Unfortunately the arcfour.[ch] in the Attic doesn't have matching signatures for the needed functions. Regards Anders Blomdell ------------------------------------------------------------------------------ Anders Blomdell Department of Automatic Control Email: anders.blom...

...since its replaced anyway now. Ps, keytab name is not significant. What is significantis, what is set for : default_keytab_name in krb5.conf Which ofcourse defaults to FILE:/etc/krb5.keytab > > Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab > > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > Then something reads the keytab in memory and cannot find the > required SPN, or to put it another way, whatever is trying to find the > SPN isn't reading the keytab you created above, it is reading the one in memory. Ok, this part above, yes, your right, its rea...

...b Luis, ok I'v removed everything, step 1: KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P klist -ke /etc/krb5.keytab2|grep 7|sort 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM...

Author: kais Repository: /hg/zfs-crypto/gate Revision: af99262cf4c4e55fca29e9b86ad9369fd928745e Log message: PSARC/2005/413 sun4v optimized MD5 and arcfour kernel cryptographic modules 6278572 port Spracklen''s fast MD5 on Niagara to solaris 6278578 port Spracklen''s fast RC4 on Niagara to solaris Files: create: usr/src/common/crypto/arcfour/sun4v/arcfour_crypt.c create: usr/src/common/crypto/md5/sparc/sun4v/byteswap.il create: usr...

...up failed: NT_STATUS_LOGON_FAILURE [2019/11/05 15:50:50.009481, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/stcomune at COMUNE.PADOVA.IT(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] [2019/11/05 15:50:50.009564, 1] ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step) gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE the same test from windows machine fail with user cr...

...ger version: $ ssh -v -v -v ibmsp SSH Version OpenSSH_2.5.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /home/psavola/.ssh/config debug: Reading configuration data /etc/ssh/ssh_config debug: cipher ok: rijndael128-cbc [rijndael128-cbc,aes128-cbc,arcfour,blowfish-cbc] debug: cipher ok: aes128-cbc [rijndael128-cbc,aes128-cbc,arcfour,blowfish-cbc] debug: cipher ok: arcfour [rijndael128-cbc,aes128-cbc,arcfour,blowfish-cbc] debug: cipher ok: blowfish-cbc [rijndael128-cbc,aes128-cbc,arcfour,blowfish-cbc] debug: ciphers ok: [rijndael128-cbc,aes128-cbc,ar...

...[2019/11/05 15:50:50.009481, 1] >> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) >> gss_accept_sec_context failed with [ Miscellaneous failure (see text): >> Failed to find cifs/stcomune at COMUNE.PADOVA.IT(kvno 113) in keytab >> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >> [2019/11/05 15:50:50.009564, 1] >> ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step) >> gensec_spnego_server_negTokenInit_step: gse_krb5: parsing >> NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE >> >>...

...-CTS-HMAC-SHA1-96 * RC4-HMAC I would like to allow the Domain Members to work with their own keytabs via the "net ads keytab" command set but have found that the default (i.e. "net ads keytab create -P" or "net ads keytab add HTTP -P") only creates the two des and ArcFour with HMAC/md5 enctypes, no AES enctypes are listed. The Domain admins can use tools on their side to create SPNs and keytabs that have AES and we would prefer them over DES/ArcFour except in special circumstances.: # klist -ke Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal - ---- - ---------...

...-NT-SRV-INST (2) sname-string: 2 items SNameString: krbtgt SNameString: MYDOMAIN.COM.XYZ enc-part etype: eTYPE-ARCFOUR-HMAC-MD5 (23) authenticator etype: eTYPE-ARCFOUR-HMAC-MD5 (23) PA-DATA PA-FOR-USER padata-type: kRB5-PADATA-S4U2SELF (129) name name-type: kRB5-NT-ENTERP...

...EY fbeckman at zvadm6:/home/fbeckman $ ssh -vvv devil3 uname -a OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004 debug1: Reading configuration data /home/fbeckman/.ssh/config debug1: Reading configuration data /etc/ssh_config debug3: cipher ok: blowfish-cbc [blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc] debug3: cipher ok: aes128-cbc [blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc] debug3: cipher ok: 3des-cbc [blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc] debug3: cipher ok: cast128-cbc [blowfish-cbc,aes128-cbc,3des-cbc...

...ba4 at FSS.LAN (des-cbc-crc) > 1 HOST/samba4.fss.lan at FSS.LAN (des-cbc-crc) > 1 SAMBA4$@FSS.LAN (des-cbc-crc) > 1 HOST/samba4 at FSS.LAN (des-cbc-md5) > 1 HOST/samba4.fss.lan at FSS.LAN (des-cbc-md5) > 1 SAMBA4$@FSS.LAN (des-cbc-md5) > 1 HOST/samba4 at FSS.LAN (arcfour-hmac) > 1 HOST/samba4.fss.lan at FSS.LAN (arcfour-hmac) > 1 SAMBA4$@FSS.LAN (arcfour-hmac) > 1 HOST/samba4 at FSS.LAN (aes128-cts-hmac-sha1-96) > 1 HOST/samba4.fss.lan at FSS.LAN (aes128-cts-hmac-sha1-96) > 1 SAMBA4$@FSS.LAN (aes128-cts-hmac-sha1-96) > 1 HOST/sam...

...fig and /etc/ssh/ssh_config. Is just using these three ciphers like to cause me any problems? Could having so few ciphers be creating a security concern itself? Thanks The following weak client-to-server encryption algorithms are supported by the remote service: rijndael-cbc at lysator.liu.se arcfour256 arcfour128 aes256-cbc 3des-cbc aes192-cbc blowfish-cbc cast128-cbc arcfour aes128-cbc The following weak server-to-client encryption algorithms are supported by the remote service: rijndael-cbc at lysator.liu.se arcfour256 arcfour128 aes256-cbc 3des-cbc aes192-cbc blowfish-cbc cast128-cbc arcfo...

...2/01/2017 14:01:34 host/PROXY2 at REALM (aes128-cts-hmac-sha1-96)    2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld at REALM (aes256-cts-hmac-sha1-96)    2 02/01/2017 14:01:34 host/PROXY2 at REALM (aes256-cts-hmac-sha1-96)    2 02/01/2017 14:01:34 host/proxy2.internal.domain.tld at REALM (arcfour-hmac)    2 02/01/2017 14:01:34 host/PROXY2 at REALM (arcfour-hmac)    2 02/01/2017 14:01:34 PROXY2$@REALM (des-cbc-crc)    2 02/01/2017 14:01:34 PROXY2$@REALM (des-cbc-md5)    2 02/01/2017 14:01:34 PROXY2$@REALM (aes128-cts-hmac-sha1-96)    2 02/01/2017 14:01:34 PROXY2$@REALM (aes256-cts-hmac-...

...ient.log> saying: >>> [2017/01/11 16:42:34.522067, 1] ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/hg004.humgen.0zone at HUMGEN.0ZONE(kvno 1) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] [2017/01/11 16:42:34.522095, 1] ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit) SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE [2017/01/11 16:42:34.525704, 1] ../lib/param/loadparm.c:1629(lpcfg_do_global_parameter) WARNING: The "syslog only"...