[Bug 1195871] [NEW] net ads join does not provide AES keys in host keytab

Michael Gliwinski Michael.Gliwinski at henderson-group.com
Fri Jun 28 20:06:34 UTC 2013 

Public bug reported:

Ubuntu 12.10 and 13.04

Samba 3.6.9 configured to manage keytab ('kerberos method = secrets and
keytab').

When joining an AD domain (`net ads join`) the keytab is created without
AES keys, but instead includes only des-cbc-crc, des-cbc-md5, and
arcfour-hmac keys.

This causes kinit using the machine keys to fail.  To make it work
/etc/krb5.conf needs to be modified to include:

  default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
  default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

in [libdefaults] section.

This has already been fixed upstream in Samba 3.6.10.

** Affects: samba
     Importance: Unknown
         Status: Unknown

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: samba (Fedora)
     Importance: Unknown
         Status: Unknown

** Bug watch added: Samba Bugzilla #9272
   https://bugzilla.samba.org/show_bug.cgi?id=9272

** Also affects: samba via
   https://bugzilla.samba.org/show_bug.cgi?id=9272
   Importance: Unknown
       Status: Unknown

** Bug watch added: Red Hat Bugzilla #748407
   https://bugzilla.redhat.com/show_bug.cgi?id=748407

** Also affects: samba (Fedora) via
   https://bugzilla.redhat.com/show_bug.cgi?id=748407
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1195871

Title:
   net ads join does not provide AES keys in host keytab

Status in Samba:
  Unknown
Status in “samba” package in Ubuntu:
  New
Status in “samba” package in Fedora:
  Unknown

Bug description:
  Ubuntu 12.10 and 13.04

  Samba 3.6.9 configured to manage keytab ('kerberos method = secrets
  and keytab').

  When joining an AD domain (`net ads join`) the keytab is created
  without AES keys, but instead includes only des-cbc-crc, des-cbc-md5,
  and arcfour-hmac keys.

  This causes kinit using the machine keys to fail.  To make it work
  /etc/krb5.conf needs to be modified to include:

    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

  in [libdefaults] section.

  This has already been fixed upstream in Samba 3.6.10.

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1195871/+subscriptions

More information about the foundations-bugs mailing list