Am 27.02.2015 um 22:13 schrieb Sim Josh: > Hi all, > I recently installed Samba 4.1.13 on my Linux machine and I am connecting > it to a windows domain on the domain controller with Windows server 2008 R2 > Standard as the OS. > > My Samba setup is able to successfully join the windows domain. The > Kerberos encryption type used during Session setup (from the wireshark > traces) is AES256 (eTYPE_AES256_CTS_HMAC_SHA1_96). > > However, when I map a share to the Samba server from a windows 7 client, I > see that the ticket obtained from the Kerberos on the domain controller is > encrypted in an older encryption type - eTYPE_ARCFOUR_HMAC_MD5. This ticket > is later used by the windows client to communicate with the Samba server. > > So the problem that I am seeing is that windows 7 client is not using > AES256 for encryption when I map a share to Samba server, but AES256 is > being used during join domain. > I searched through Samba documentation but could not find much about this. > > Does Samba 4 support AES256 Kerberos encryption? If so, is there anything > wrong with my configuration on the Samba server side?
This behaviour is controlled by the msDS-SupportedEncryptionTypes attribute on the computer account in active directory, see http://blogs.msdn.com/b/openspecification/archive/2009/09/12/msds-supportedencryptiontypes-episode-1-computer-accounts.aspx Samba 4.2 will have new subcommands for "net": ADS ENCTYPES List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD. This attribute allows to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values: 0x00000001 DES-CBC-CRC 0x00000002 DES-CBC-MD5 0x00000004 RC4-HMAC 0x00000008 AES128-CTS-HMAC-SHA1-96 0x00000010 AES256-CTS-HMAC-SHA1-96 ADS ENCTYPES LIST <ACCOUNTNAME> List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account. Example: net ads enctypes list Computername ADS ENCTYPES SET <ACCOUNTNAME> [enctypes] Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is ommitted, the value is set to 31 which enables all the currently supported encryption types. Example: net ads enctypes set Computername 24 ADS ENCTYPES DELETE <ACCOUNTNAME> Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME. Example: net ads enctypes set Computername 24 metze
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
