Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba 4 DC - no AES kerberos tickets - only arcfour
182 views
Skip to first unread message
Ritter, Marcel (RRZE)
Aug 18, 2015, 4:50:03 PM8/18/15
to
Hi,
I’ve been running a samba 4 DC for quite some time now, and while testing some kerberos related stuff, I noticed that all kerberos tickets I can get from the DC are of encryption type ?arcfour-hmac-md5“:
# kinit testuser1
test...@S4DOM.TEST's Password:
# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
Ticket etype: arcfour-hmac-md5, kvno 1
I can create keytabs containing aes128/aes256 keys (besides the arcfour ones), but if I’m trying to use them (e.g. for NFS client/server) the ccache files only report usage of ?arcfour-hmac-md5“.
Trying to remove non-aes keys from keytab, or limiting supported types will result in an error like this:
# kinit -e aes256-cts-hmac-sha1-96 Administrator
Admini...@S4DOM.TEST's Password:
kinit: krb5_get_init_creds: KDC has no support for encryption type
# kinit -e arcfour-hmac-md5 Administrator
Admini...@S4DOM.TEST's Password:
⇒ Succeeds, with arcfour ticket
This looks like the samba 4 DC does not offer AES encryption types at all.
So I tried to raise the function level (if i recall correctly AES should be enabled with 2008 R2), however the behaviour stays the same.
# samba-tool domain level raise --forest-level 2008_R2 --domain-level 2008_R2
I've reproduced this with Ubuntu 14.04.3 / Samba 4.1.6, but also with a current samba.git-Checkout - no difference so far.
What am I missing here?
Do I need to take some extra steps after the domain level raise to use AES?
Bye,
Marcel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I’ve been running a samba 4 DC for quite some time now, and while testing some kerberos related stuff, I noticed that all kerberos tickets I can get from the DC are of encryption type ?arcfour-hmac-md5“:
# kinit testuser1
test...@S4DOM.TEST's Password:
# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
Ticket etype: arcfour-hmac-md5, kvno 1
I can create keytabs containing aes128/aes256 keys (besides the arcfour ones), but if I’m trying to use them (e.g. for NFS client/server) the ccache files only report usage of ?arcfour-hmac-md5“.
Trying to remove non-aes keys from keytab, or limiting supported types will result in an error like this:
# kinit -e aes256-cts-hmac-sha1-96 Administrator
Admini...@S4DOM.TEST's Password:
kinit: krb5_get_init_creds: KDC has no support for encryption type
# kinit -e arcfour-hmac-md5 Administrator
Admini...@S4DOM.TEST's Password:
⇒ Succeeds, with arcfour ticket
This looks like the samba 4 DC does not offer AES encryption types at all.
So I tried to raise the function level (if i recall correctly AES should be enabled with 2008 R2), however the behaviour stays the same.
# samba-tool domain level raise --forest-level 2008_R2 --domain-level 2008_R2
I've reproduced this with Ubuntu 14.04.3 / Samba 4.1.6, but also with a current samba.git-Checkout - no difference so far.
What am I missing here?
Do I need to take some extra steps after the domain level raise to use AES?
Bye,
Marcel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ritter, Marcel (RRZE)
Aug 19, 2015, 2:10:03 AM8/19/15
to
Hi Trever,
things improved after resetting user/machine passwords, however only the session key is using aes256 now, the ticket itself is still arcfour:
root@ubuntu1:~# kinit user09999
user...@S4DOM.TEST's Password:
root@ubuntu1:~# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
Principal: user...@S4DOM.TEST
Cache version: 4
Server: krbtgt/S4DOM...@S4DOM.TEST
Client: user...@S4DOM.TEST
Ticket length: 1074
Auth time: Aug 19 07:53:10 2015
End time: Aug 19 17:53:04 2015
Ticket flags: enc-pa-rep, pre-authent, initial, proxiable, forwardable
Addresses: addressless
Is there something like a "domain password/secret" that I need to reset too in order to get aes encryption for everything?
If so, how do I do that?
I also cross-checked this with our windows AD (same client) and I get an AES only ticket/key:
<...>
Ticket etype: aes256-cts-hmac-sha1-96, kvno 2
Ticket length: 2278
<...>
Any other ideas?
Bye,
Marcel
-----Ursprüngliche Nachricht-----
Von: Trever L. Adams [mailto:tre...@middleearth.sapphiresunday.org]
Gesendet: Mittwoch, 19. August 2015 05:55
An: Ritter, Marcel (RRZE) <marcel...@fau.de>; sa...@lists.samba.org
Betreff: Re: [Samba] Samba 4 DC - no AES kerberos tickets - only arcfour
things improved after resetting user/machine passwords, however only the session key is using aes256 now, the ticket itself is still arcfour:
root@ubuntu1:~# kinit user09999
user...@S4DOM.TEST's Password:
root@ubuntu1:~# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
Principal: user...@S4DOM.TEST
Cache version: 4
Server: krbtgt/S4DOM...@S4DOM.TEST
Client: user...@S4DOM.TEST
Ticket etype: arcfour-hmac-md5, kvno 1
Session key: aes256-cts-hmac-sha1-96
Ticket length: 1074
Auth time: Aug 19 07:53:10 2015
End time: Aug 19 17:53:04 2015
Ticket flags: enc-pa-rep, pre-authent, initial, proxiable, forwardable
Addresses: addressless
Is there something like a "domain password/secret" that I need to reset too in order to get aes encryption for everything?
If so, how do I do that?
I also cross-checked this with our windows AD (same client) and I get an AES only ticket/key:
<...>
Ticket etype: aes256-cts-hmac-sha1-96, kvno 2
Ticket length: 2278
<...>
Any other ideas?
Bye,
Marcel
-----Ursprüngliche Nachricht-----
Von: Trever L. Adams [mailto:tre...@middleearth.sapphiresunday.org]
Gesendet: Mittwoch, 19. August 2015 05:55
An: Ritter, Marcel (RRZE) <marcel...@fau.de>; sa...@lists.samba.org
Betreff: Re: [Samba] Samba 4 DC - no AES kerberos tickets - only arcfour
Trever L. Adams
Aug 19, 2015, 8:50:03 AM8/19/15
to
I am not sure what yours are.
https://lists.samba.org/archive/samba-technical/2015-February/105674.html
It is 0004-s4-scripting-devel-Add-tool-to-roll-over-the-krbtgt-.patch
that you are after.
I am using v4-2-stable for building my own. This patch was not applied
to this tree/branch, so you will have to pull it out of the email
message. Apply both parts of the patch. You will need to make
source4/scripting/devel/chgkrbtgtpass executable and then run it.
I know that was part of it. I also had to rejoin the Linux machines that
hosted services (this likely would have been unnecessary had I just
waited for them to change their passwords).
I hope this gets you the rest of the way.
Trever
Ritter, Marcel (RRZE)
Aug 24, 2015, 9:20:03 AM8/24/15
to
Hi Trever,
on one of my machines I'm running latest samba git - your tools
are included there, and work nicely. On this machine I now got AES
working as expected - thanks a lot !
On my other test setup I'm running samba 4.1.6 (Ubuntu package).
Do you know if it's safe to run ./chgktbtgtpass (from latest git)
against those databases if I intent to use the old packaged samba
version afterwards?
Bye,
Marcel
-----Ursprüngliche Nachricht-----
Von: Trever L. Adams [mailto:tre...@middleearth.sapphiresunday.org]
Gesendet: Mittwoch, 19. August 2015 14:44
Betreff: Re: AW: [Samba] Samba 4 DC - no AES kerberos tickets - only arcfour
on one of my machines I'm running latest samba git - your tools
are included there, and work nicely. On this machine I now got AES
working as expected - thanks a lot !
On my other test setup I'm running samba 4.1.6 (Ubuntu package).
Do you know if it's safe to run ./chgktbtgtpass (from latest git)
against those databases if I intent to use the old packaged samba
version afterwards?
Bye,
Marcel
-----Ursprüngliche Nachricht-----
Von: Trever L. Adams [mailto:tre...@middleearth.sapphiresunday.org]
Betreff: Re: AW: [Samba] Samba 4 DC - no AES kerberos tickets - only arcfour
0 new messages