Bug 9869 - changing encryption protocols after migration from samba v3 to v4
Summary: changing encryption protocols after migration from samba v3 to v4
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.12.2
Hardware: All Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-07 13:54 UTC by miquel
Modified: 2020-05-17 21:49 UTC (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description miquel 2013-05-07 13:54:14 UTC 
We are migrating samba3 to samba4, all our clients are windows7.
We have performed classicupgrade without problems, but samba only uses
RC4 as kerberos encryption.
We have made a domain level raise to 2008_R2, but samba still uses RC4
instead AES. 

As a test we forced the use of the AES256 encryption by setting in the
file /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py:
      result = provision(logger, session_info, None,
                         targetdir=targetdir, realm=realm, domain=domainname,
                         domainsid=str(domainsid), next_rid=next_rid,
                         dc_rid=machinerid, adminpass = adminpass,
- dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003,
+ dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2008_R2,
                         hostname=netbiosname.lower(),
machinepass=machinepass,
                         serverrole=serverrole, samdb_fill=FILL_FULL,
                         useeadb=useeadb, dns_backend=dns_backend,
use_rfc2307=True,
                         use_ntvfs=use_ntvfs, skip_sysvolacl=True) 

Workarraund: 
 - Run source4/scripting/devel/chgtdcpass
 - samba-tool user password krbtgt