Bug 15213 - winbind should routinely update msDS-SupportedEncryptionTypes
Summary: winbind should routinely update msDS-SupportedEncryptionTypes
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.17.1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 15238
  Show dependency treegraph
 
Reported: 2022-10-25 01:05 UTC by Andrew Bartlett
Modified: 2022-11-17 15:17 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2022-10-25 01:05:09 UTC
Kerberos targets in Active Directory should negotiate with their KDC to use the strongest mutually supported encryption type for their shared key.  (This is not normally required in an MIT realm, where the keytab administratively configured and provided to the target).  

Samba does this, setting msDS-SupportedEncryptionType at join time.  However it is not updated later, so if the join was done over RPC we would still be sent arcfour-hmac-md5 keys.

Per https://bugzilla.samba.org/show_bug.cgi?id=15188#c3
Samba's winbindd should confirm the current set value for msDS-SupportedEncryptionType using NETLOGON GetDomainInfo and to contact the KDC using LDAP and update the msDS-SupportedEncryptionType if this isn't the strongest common type.

RFC 8429 encourages moving away from arcfour-hmac-md5 (and the DES encryption types), so there is good precedent for making this move.
Comment 1 Stefan Metzmacher 2022-10-25 07:17:51 UTC
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master-exchange has some code for winbindd to call netlogon_creds_cli_LogonGetDomainInfo(), but the tricky part is that
the netr_OsVersionInfoEx stuff right, as at least for the AD DC it's important
for the exchange installer...
Comment 2 Andrew Bartlett 2022-11-14 22:01:58 UTC
Any automated updates should probably follow whatever values are being pushed out via group policy and consider that some of the other bits here may have been set manually (Resource-SID-compression-disabled for example).

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/6cfc7b50-11ed-4b4d-846d-6f08f0812919