Bug 6427 - Add win2k8 encryption support
Add win2k8 encryption support
Product: Samba 3.4
Classification: Unclassified
Component: File services
All Windows 2008
: P3 normal
: ---
Assigned To: Volker Lendecke
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2009-06-01 04:51 UTC by Zhou Weikuan
Modified: 2015-06-15 08:19 UTC (History)
4 users (show)

See Also:

AES encryption (1.16 KB, patch)
2009-06-01 04:54 UTC, Zhou Weikuan
no flags Details
quick AES test patch for defect verification (388 bytes, patch)
2010-10-04 19:51 UTC, Joshua Hawkinson (mail address dead)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Zhou Weikuan 2009-06-01 04:51:54 UTC
Win2k8 encryption support, add AES into encryption list. Win2k8 uses AES as the preferred encryption if it runs in win2k8 function level.  If we use `kinit administrator` to create kerberos cache first, and then run `net ads user` without specifying the account explicitly,  net doesn't work. This patch resolves this.

Yet it seems AES is much more time-consuming than ARCFOUR.
Comment 1 Zhou Weikuan 2009-06-01 04:54:18 UTC
Created attachment 4227 [details]
AES encryption

Comments from Andrew Bartlett:
I would rather see us remove this entirely, and use the defaults.  Since
we needed this, the Kerberos libs have impoved their defaults, and
hopefully there are not too many brain-dead config files left around

so I just report a bug and wait for the answer.
Comment 2 Derrell Lipman 2009-10-21 08:02:16 UTC
select more appropriate component and reassign to default assignee
Comment 3 Joshua Hawkinson (mail address dead) 2010-10-04 19:19:40 UTC
Just a bit of additional information.  It seems that if you manually set the domains security policies to only use AES encryption that samba 3.5.5 (winbindd / net) will not be able to connect.  As a proof of concept we implemented a similar patch in clikrb5.c and it seemed to work around problems with the initial join, and user import (have not tested client communication yet). 
Comment 4 Jeremy Allison 2010-10-04 19:29:15 UTC
Can you attach the patch please so I can take a look ?
Comment 5 Joshua Hawkinson (mail address dead) 2010-10-04 19:51:59 UTC
Created attachment 5997 [details]
quick AES test patch for defect verification

Sure! however this is just a quick proof of concept patch to verify that it addressed the problem that we have seen. A bit of additional information on the test

We're using a 2008 R2 domain running at the highest functional level
No GPO modifications except for the following setting:
   Network Security: Configure encryption types allowed for kerberos = AES128, AES256
after this is set domain connectivity seems to not work.

Here is a snippet from the net command output:

ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
ads_sasl_spnego_krb5_bind failed with: No credentials cache found, calling kinit
kerberos_kinit_password: as administrator@NEMESIS.KHAOS using [MEMORY:net_ads] as ccache and config [/tmp/krb5.conf.4131]
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Fri, 01 Oct 2010 07:27:16 UTC
ads_krb5_mk_req: Ticket (ldap/nemesisdc.nemesis.khaos@NEMESIS.KHAOS) in ccache (MEMORY:net_ads) is valid until: (Fri, 01 Oct 2010 07:27:16 UTC - 1285918036)
ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT
Got KRB5 session key of length 16
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
ads_connect: leaving with: Invalid credentials
Comment 6 Stefan Metzmacher 2015-06-15 08:19:31 UTC
This was added in samba-3.6.10.