search for: permitted_enctyp

...line. > > but it includes other file too from package > crypto-policies-20231204-1.git1e3a2e4.fc39.noarch > > $ ls -l /etc/krb5.conf.d > lrwxrwxrwx. 1 root root 42 17. led 01.00 crypto-policies -> > /etc/crypto-policies/back-ends/krb5.config > > [libdefaults] > permitted_enctypes = aes256-cts-hmac-sha384-192 > aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac > > When I remove this file, command returns correct results Oh you did, please do not put it back. > > I suppose permitted_e...

...ers#Connections_to_a_Samba_Domain_Member_Fail_After_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File > > Just remove the 'includedir' line. > > I'm not sure my samba version is including files from that directory without problems When I've removed first two permitted_enctypes: aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 to be: permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac command works No matter if this is included in file /etc/krb5.conf.d/crypto-policies or in main file /etc/krb5.conf So...

...ads_verify_ticket: enc type [3] failed to decrypt with ~ error Bad encryption type ~ ads_verify_ticket: krb5_rd_req with auth failed (Bad ~ encryption type) ~ Failed to verify incoming ticket! The only way I have been able to reproduce this locally using MIT 1.3.1 is by setting a list of permitted_enctypes in /etc/krb5.conf. For example, ~ [libdefaults] ~ dns_lookup_kdc = true ~ default_tgs_enctypes = des-cbc-md5 ~ default_tkt_enctypes = des-cbc-md5 ~ permitted_enctypes = des-cbc-md5 des-cbc-crc Commenting out the last line solved things in my tests. Usually I have a very minimal krb5.c...

...etc/krb5.conf by this line includedir /etc/krb5.conf.d/ but it includes other file too from package crypto-policies-20231204-1.git1e3a2e4.fc39.noarch $ ls -l /etc/krb5.conf.d lrwxrwxrwx. 1 root root 42 17. led 01.00 crypto-policies -> /etc/crypto-policies/back-ends/krb5.config [libdefaults] permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac When I remove this file, command returns correct results I suppose permitted_enctypes are not compatible with this samba version, I'm not sure wh...

...efault = FILE:/var/log/kerberos/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = DRAF.FC default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 permitted_enctypes = des-cbc-crc des-cbc-md5 #default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc #default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc #permitted_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = false kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 forw...

...r_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File > > > > Just remove the 'includedir' line. > > > > I'm not sure > > my samba version is including files from that directory without > problems > > > When I've removed first two permitted_enctypes: > > aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 > > to be: > permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > camellia256-cts-cmac camellia128-cts-cmac > > command works > > No matter if this is included in file > /etc/krb5.con...

Hai, You may need to add the the following in krb5.conf [libdefaults] allow_weak_crypto = true ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enc...

...ibdefaults] default_realm = MYDOMINIO.COM dns_lookup_kdc = no dns_lookup_realm = no ticket_lifetime = 24h default_keytab_name = /etc/squid3/PROXY.keytab ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des...

...eros. The most strange for me it's that the same environment works fine with a W2K Active Directory, I read in same list the problem was the kerberos 1.2.x, then I changed to 1.3.3, but the problem remains. I also have tried the following combinations of parameters in the krb5.conf Test 1 - No permitted_enctypes [libdefaults] default_realm = HOME.EHC # The following krb5.conf variables are only for MIT Kerberos. default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 #permitted_enctypes = des-cbc-crc des-cbc-md5 Result [2004/04/18 10:38:34, 10] libads/kerberos...

...d for encrypted timestamp: aes256-cts/000A In my setup, i dont have aes256-cts available in my keytab, do you? You can try adding this, to krb5.conf. ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES ; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-...

...encrypt passwords = yes hosts allow = 10.0.0. 127. KRB5.CONF: -------------- [libdefaults] ticket_lifetime = 600 default_realm = DOMAIN.EXAMPLE.COM dns_lookup_kdc=0 dns_lookup_realm=0 dns_fallback=0 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc permitted_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc des-cbc-md5 arc foug-hmac-md5 arcfour-hmac-md [realms] DOMAIN.EXAMPLE.COM = { kdc = 10.0.0.1 } [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log Pretty generic, I know...

On Fri, 05 Apr 2024 17:18:12 +0200 pavel.lisy at gmail.com wrote: > > Now I've found some differences in /etc/krb5.conf > and it seams to be possible root cause. > > I will write summary after further testing. > Ah, yes, I should have remembered that you are running 'experimental' DCs on Fedora and they do strange things to the krb5.conf. All you need is this:

...ba at lists.samba.org> wrote: Hai, You may need to add the the following in krb5.conf [libdefaults] allow_weak_crypto = true ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 per...

...beros/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = HQ.ARKONNETWORKS.COM default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc permitted_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = false kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 forwardable = true proxiable = true [realms] HQ.ARKONNETWORKS.COM = { kdc = dc2.hq.arkonnetworks.com:88 admin_server = dc2.hq.arkonnetwo...

.... The most strange for me it's that the same environment works fine with a W2K Active Directory, I read in same list the problem was the kerberos 1.2.x, then I changed to 1.3.3, but the problem remains. I also have tried the following combinations of parameters in the krb5.conf Test 1 - No permitted_enctypes [libdefaults] default_realm = HOME.EHC # The following krb5.conf variables are only for MIT Kerberos. default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 #permitted_enctypes = des-cbc-cr...

...ia samba" <samba at lists.samba.org> wrote: Hai, You may need to add the the following in krb5.conf [libdefaults]  allow_weak_crypto = true ; for Windows 2003 ;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES     default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5     default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5     permitted_enc...

...om > } > #[domain_realms] > #.kerberos.server=CAR.BE.TEST.COM > > # The following krb5.conf variables are only for MIT Kerberos. > default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 > default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 > permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > > v4_instance_resolve = false >...

...realm = true dns_lookup_kdc = true forwardable = true ticket_lifetime = 24h renew_lifetime = 7d default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 # net ads keytab list # I'm wondering if this is in any way related to the Kerberos hardening changes that was introduced by Microsoft in late 2022 and to be performed in phases throughout 2023? What else should I be checking for? What...

....test.com default_domain = car.be.test.com } #[domain_realms] #.kerberos.server=CAR.BE.TEST.COM # The following krb5.conf variables are only for MIT Kerberos. default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host =...

...TR record exists for both servers? Does CIFS/spn and root/spn exist in the AD? In krb5.conf, set these : ; not used for nfs4 but cifs might need it. ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES, (cifs and nfs4) default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5...