net ads join does not provide AES keys in host keytab
Bug #1195871 reported by
Michael Gliwinski
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba |
Fix Released
|
Medium
|
|||
samba (Fedora) |
Fix Released
|
Medium
|
|||
samba (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Ubuntu 12.10 and 13.04
Samba 3.6.9 configured to manage keytab ('kerberos method = secrets and keytab').
When joining an AD domain (`net ads join`) the keytab is created without AES keys, but instead includes only des-cbc-crc, des-cbc-md5, and arcfour-hmac keys.
This causes kinit using the machine keys to fail. To make it work /etc/krb5.conf needs to be modified to include:
default_
default_
in [libdefaults] section.
This has already been fixed upstream in Samba 3.6.10.
Changed in samba: | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
Changed in samba (Fedora): | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
To post a comment you must log in.
Description of problem:
When joining an AD domain with "net ads join" and smb.conf contains "kerberos method = secrets and keytab", the host keytab /etc/krb5.keytab is being created and a valid host principal of form HOSTNAME$@REALM in included in the file. However, only des-cbc-crc, des-cbc-md5, and arcfour-hmac enctypes are included, no aes256 or aes128 even in AD 2008R2 domain which has full AES support.
Aside from weaker security, with the aforementioned three enctypes things like "kinit -k -t /etc/krb5.keytab 'HOSTNAME$@REALM'" fail with the default krb5.conf (default_ {tkt,tgs} _enctypes must be adjusted to be able to kinit).
"net ads join" should provide AES keys in the host keytab at least optionally if the domain controller supports AES, not only the previously mentioned three types (which are currently hard-coded in the source code).
Version-Release number of selected component (if applicable):
RHEL 6.2