Win2k8 encryption support, add AES into encryption list. Win2k8 uses AES as the preferred encryption if it runs in win2k8 function level. If we use `kinit administrator` to create kerberos cache first, and then run `net ads user` without specifying the account explicitly, net doesn't work. This patch resolves this.
Yet it seems AES is much more time-consuming than ARCFOUR.
Created attachment 4227 [details]
Comments from Andrew Bartlett:
I would rather see us remove this entirely, and use the defaults. Since
we needed this, the Kerberos libs have impoved their defaults, and
hopefully there are not too many brain-dead config files left around
so I just report a bug and wait for the answer.
select more appropriate component and reassign to default assignee
Just a bit of additional information. It seems that if you manually set the domains security policies to only use AES encryption that samba 3.5.5 (winbindd / net) will not be able to connect. As a proof of concept we implemented a similar patch in clikrb5.c and it seemed to work around problems with the initial join, and user import (have not tested client communication yet).
Can you attach the patch please so I can take a look ?
Created attachment 5997 [details]
quick AES test patch for defect verification
Sure! however this is just a quick proof of concept patch to verify that it addressed the problem that we have seen. A bit of additional information on the test
We're using a 2008 R2 domain running at the highest functional level
No GPO modifications except for the following setting:
Network Security: Configure encryption types allowed for kerberos = AES128, AES256
after this is set domain connectivity seems to not work.
Here is a snippet from the net command output:
ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
ads_sasl_spnego_krb5_bind failed with: No credentials cache found, calling kinit
kerberos_kinit_password: as administrator@NEMESIS.KHAOS using [MEMORY:net_ads] as ccache and config [/tmp/krb5.conf.4131]
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Fri, 01 Oct 2010 07:27:16 UTC
ads_krb5_mk_req: Ticket (ldap/nemesisdc.nemesis.khaos@NEMESIS.KHAOS) in ccache (MEMORY:net_ads) is valid until: (Fri, 01 Oct 2010 07:27:16 UTC - 1285918036)
ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT
Got KRB5 session key of length 16
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
ads_connect: leaving with: Invalid credentials
This was added in samba-3.6.10.