Bug 15188 - Samba AD DC does not update msDS-SupportedEncryptionTypes during NETLOGON GetDomainInfo
Summary: Samba AD DC does not update msDS-SupportedEncryptionTypes during NETLOGON Get...
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.17.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jo Sutton
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-28 20:21 UTC by Andrew Bartlett
Modified: 2022-10-25 01:05 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2022-09-28 20:21:14 UTC
Further research and testing is required but it looks like the NETLOGON GetDomainInfo call should update msDS-SupportedEncryptionTypes as well as SPNs.

Samba's NETLOGON server fails to do this update, which might mean services are contacted using a weaker key.
Comment 2 Jo Sutton 2022-09-28 23:17:02 UTC
My testing so far indicates that GetDomainInfo does not update the msDS-SupportedEncryptionTypes attribute on Windows. Values placed by the client in NETLOGON_WORKSTATION_INFO.KerberosSupportedEncryptionTypes (aka netr_WorkstationInformation.supported_enc_types) are ignored. Windows just uses that field to return the current value of msDS-SupportedEncryptionTypes, or 0xffffffff if there isn't one.
Comment 3 Stefan Metzmacher 2022-09-30 08:50:31 UTC
(In reply to Joseph Sutton from comment #2)

The client should use LDAP modify to update the attribute
and it detects from the GetDomainInfo call that the servers value
isn't expected.
Comment 4 Andrew Bartlett 2022-10-10 06:40:15 UTC
Resolving as an INVALID concern per comment 3
Comment 5 Andrew Bartlett 2022-10-25 00:55:55 UTC
Removing embargo on this one, Samba's AD DC behaves like Windows and doesn't miss updates here.