Bug 6427 - Add win2k8 encryption support
Summary: Add win2k8 encryption support
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All Windows 2008
: P3 normal
Target Milestone: ---
Assignee: Volker Lendecke
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-01 04:51 UTC by Zhou Weikuan
Modified: 2015-06-15 08:19 UTC (History)
4 users (show)

See Also:

Attachments
AES encryption (1.16 KB, patch)
2009-06-01 04:54 UTC, Zhou Weikuan 		no flags Details
quick AES test patch for defect verification (388 bytes, patch)
2010-10-04 19:51 UTC, Joshua Hawkinson (mail address dead) 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Zhou Weikuan 2009-06-01 04:51:54 UTC 
Win2k8 encryption support, add AES into encryption list. Win2k8 uses AES as the preferred encryption if it runs in win2k8 function level.  If we use `kinit administrator` to create kerberos cache first, and then run `net ads user` without specifying the account explicitly,  net doesn't work. This patch resolves this.

Yet it seems AES is much more time-consuming than ARCFOUR.
Comment 1 Zhou Weikuan 2009-06-01 04:54:18 UTC 
Created attachment 4227 [details]
AES encryption

Comments from Andrew Bartlett:
I would rather see us remove this entirely, and use the defaults.  Since
we needed this, the Kerberos libs have impoved their defaults, and
hopefully there are not too many brain-dead config files left around

----------------------------
so I just report a bug and wait for the answer.
Comment 2 Derrell Lipman 2009-10-21 08:02:16 UTC 
select more appropriate component and reassign to default assignee
Comment 3 Joshua Hawkinson (mail address dead) 2010-10-04 19:19:40 UTC 
Just a bit of additional information.  It seems that if you manually set the domains security policies to only use AES encryption that samba 3.5.5 (winbindd / net) will not be able to connect.  As a proof of concept we implemented a similar patch in clikrb5.c and it seemed to work around problems with the initial join, and user import (have not tested client communication yet).
Comment 4 Jeremy Allison 2010-10-04 19:29:15 UTC 
Can you attach the patch please so I can take a look ?
Jeremy.
Comment 5 Joshua Hawkinson (mail address dead) 2010-10-04 19:51:59 UTC 
Created attachment 5997 [details]
quick AES test patch for defect verification

Sure! however this is just a quick proof of concept patch to verify that it addressed the problem that we have seen. A bit of additional information on the test

We're using a 2008 R2 domain running at the highest functional level
No GPO modifications except for the following setting:
   Network Security: Configure encryption types allowed for kerberos = AES128, AES256
after this is set domain connectivity seems to not work.

Here is a snippet from the net command output:

ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
ads_sasl_spnego_krb5_bind failed with: No credentials cache found, calling kinit
kerberos_kinit_password: as administrator@NEMESIS.KHAOS using [MEMORY:net_ads] as ccache and config [/tmp/krb5.conf.4131]
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Fri, 01 Oct 2010 07:27:16 UTC
ads_krb5_mk_req: Ticket (ldap/nemesisdc.nemesis.khaos@NEMESIS.KHAOS) in ccache (MEMORY:net_ads) is valid until: (Fri, 01 Oct 2010 07:27:16 UTC - 1285918036)
ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT
Got KRB5 session key of length 16
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
ads_connect: leaving with: Invalid credentials
Comment 6 Stefan Metzmacher 2015-06-15 08:19:31 UTC 
This was added in samba-3.6.10.