[Bug 1195871] Re: net ads join does not provide AES keys in host keytab

Bug Watch Updater 1195871 at bugs.launchpad.net
Sat Oct 28 03:28:45 UTC 2017 

Launchpad has imported 6 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=748407.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2011-10-24T11:29:57+00:00 Marko wrote:

Description of problem:
When joining an AD domain with "net ads join" and smb.conf contains "kerberos method = secrets and keytab", the host keytab /etc/krb5.keytab is being created and a valid host principal of form HOSTNAME$@REALM in included in the file. However, only des-cbc-crc, des-cbc-md5, and arcfour-hmac enctypes are included, no aes256 or aes128 even in AD 2008R2 domain which has full AES support.

Aside from weaker security, with the aforementioned three enctypes
things like "kinit -k -t /etc/krb5.keytab 'HOSTNAME$@REALM'" fail with
the default krb5.conf (default_{tkt,tgs}_enctypes must be adjusted to be
able to kinit).

"net ads join" should provide AES keys in the host keytab at least
optionally if the domain controller supports AES, not only the
previously mentioned three types (which are currently hard-coded in the
source code).

Version-Release number of selected component (if applicable):
RHEL 6.2

Reply at:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1195871/comments/0

------------------------------------------------------------------------
On 2011-10-24T12:48:40+00:00 Sumit wrote:

Since this is an enhancement and not a bug fix and a solutions need to
be coordinated with upstream I think it is too late for 6.2.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1195871/comments/1

------------------------------------------------------------------------
On 2012-01-24T23:49:20+00:00 RHEL wrote:

This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has 
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed 
products. This request is not yet committed for inclusion in an Update release.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1195871/comments/2

------------------------------------------------------------------------
On 2012-07-10T06:50:11+00:00 RHEL wrote:

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1195871/comments/3

------------------------------------------------------------------------
On 2012-07-11T01:53:20+00:00 RHEL wrote:

This request was erroneously removed from consideration in Red Hat
Enterprise Linux 6.4, which is currently under development.  This
request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1195871/comments/4

------------------------------------------------------------------------
On 2013-02-21T08:44:28+00:00 errata-xmlrpc wrote:

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0338.html

Reply at:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1195871/comments/5


** Changed in: samba (Fedora)
       Status: Unknown => Fix Released

** Changed in: samba (Fedora)
   Importance: Unknown => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1195871

Title:
   net ads join does not provide AES keys in host keytab

Status in samba:
  Fix Released
Status in samba package in Ubuntu:
  Fix Released
Status in samba package in Fedora:
  Fix Released

Bug description:
  Ubuntu 12.10 and 13.04

  Samba 3.6.9 configured to manage keytab ('kerberos method = secrets
  and keytab').

  When joining an AD domain (`net ads join`) the keytab is created
  without AES keys, but instead includes only des-cbc-crc, des-cbc-md5,
  and arcfour-hmac keys.

  This causes kinit using the machine keys to fail.  To make it work
  /etc/krb5.conf needs to be modified to include:

    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

  in [libdefaults] section.

  This has already been fixed upstream in Samba 3.6.10.

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1195871/+subscriptions

More information about the foundations-bugs mailing list