Univention Bugzilla – Bug 56077
Samba Kerberos principals are only allowed to use RC4 ticket encryption as default
Last modified: 2023-06-21 09:24:42 CEST
When a new kerberos service principal is created, (or any user) they are only allowed to negotiate an rc4 key for their kerberos tickets. This is controlled by the attribute msDS-SupportedEncryptionTypes. If it is set to 0 or not set at all, it means rc4 only. Since https://www.samba.org/samba/security/CVE-2022-37966.html, principals are also allowed to negotiate a session key for aes encrpytion types, even if msDS-SupportedEncryptionTypes is 0. So the session key is usually ok. But this is especially problematic for service accounts. If a service was created with the default msDS-SupportedEncryptionTypes, each service ticket for that service will be rc4 encrypted, even if the service principal and the user have aes keys. Samba has the smb.conf option "kerberos encryption types = " to configure this default. We should set it to 28, which means aes256, aes128 and rc4. Maybe we could do this for a new release.
dfeb1129fba (HEAD -> 5.0-4, origin/5.0-4) Bug #56077: Allow kerberos principals to use aes encryption as well as arcfour Successful build Package: univention-samba4 Version: 9.0.13-2 Branch: ucs_5.0-0 Scope: ucs5.0-4 We added the UCR variable samba/kdc_default_domain_supported_enctypes which has the default aes256-cts-hmac-sha1-96-sk,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,arcfour-hmac-md5 set
52d7c30c8c | Release changelog entry Verified: * Change review * Interop test with non-updated DC
UCS 5.0-4 has been released: https://docs.software-univention.de/release-notes/5.0-4/en/ If this error occurs again, please use the 'Clone This Bug' option.