Ubuntu
samba package

net ads join does not provide AES keys in host keytab

Bug #1195871 reported by Michael Gliwinski
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
samba
Fix Released
Medium
samba (Fedora)
Fix Released
Medium
samba (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Ubuntu 12.10 and 13.04

Samba 3.6.9 configured to manage keytab ('kerberos method = secrets and keytab').

When joining an AD domain (`net ads join`) the keytab is created without AES keys, but instead includes only des-cbc-crc, des-cbc-md5, and arcfour-hmac keys.

This causes kinit using the machine keys to fail. To make it work /etc/krb5.conf needs to be modified to include:

  default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
  default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

in [libdefaults] section.

This has already been fixed upstream in Samba 3.6.10.

Revision history for this message
In , Marko (marko-redhat-bugs) wrote :

Description of problem:
When joining an AD domain with "net ads join" and smb.conf contains "kerberos method = secrets and keytab", the host keytab /etc/krb5.keytab is being created and a valid host principal of form HOSTNAME$@REALM in included in the file. However, only des-cbc-crc, des-cbc-md5, and arcfour-hmac enctypes are included, no aes256 or aes128 even in AD 2008R2 domain which has full AES support.

Aside from weaker security, with the aforementioned three enctypes things like "kinit -k -t /etc/krb5.keytab 'HOSTNAME$@REALM'" fail with the default krb5.conf (default_{tkt,tgs}_enctypes must be adjusted to be able to kinit).

"net ads join" should provide AES keys in the host keytab at least optionally if the domain controller supports AES, not only the previously mentioned three types (which are currently hard-coded in the source code).

Version-Release number of selected component (if applicable):
RHEL 6.2

Revision history for this message
In , Sumit (sumit-redhat-bugs) wrote :

Since this is an enhancement and not a bug fix and a solutions need to be coordinated with upstream I think it is too late for 6.2.

Revision history for this message
In , RHEL (rhel-redhat-bugs) wrote :

This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update release.

Revision history for this message
In , RHEL (rhel-redhat-bugs) wrote :

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Revision history for this message
In , RHEL (rhel-redhat-bugs) wrote :

This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0338.html

Bug Watch Updater (bug-watch-updater)
Changed in samba:
importance: Unknown → Medium
status: Unknown → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
Revision history for this message
Adam Koczur (sbv) wrote :

This is also affecting samba 3.6.3 in 12.04

Revision history for this message
Sebastien Bacher (seb128) wrote :

That's fixed in the current version

Changed in samba (Ubuntu):
importance: Undecided → High
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in samba (Fedora):
importance: Unknown → Medium
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.