samba-users August 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] Change of kerberos encryption from DES

Re: [Samba] Change of kerberos encryption from DES to AES

From: Rob Townley <rob.townley_at_nospam>
Date: Fri Aug 27 2010 - 21:34:55 GMT
To: "Masopust, Christian" <christian.masopust@siemens.com>

On Thu, Aug 26, 2010 at 10:41 AM, Masopust, Christian
<christian.masopust@siemens.com> wrote:
> Hello all,
>
> as our Windows DCs will switch off DES encryption in the near future I
> have to change our
> Samba-Server to AES encryption.
>
> If I understand it correctly I have to change kerberos-configuration to
> new encryption type
> (aes256-cts-hmac-sha1-96) and then re-join my Samba-Server to the
> domain.
>
> Is this correct? Any other things to consider?
>
> Thanks a lot,
> Christian
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>

i don't know how helpful this will be, but i will need to do the same.

i believe the samba server should generate the supported encryption
types from AD.
Not sure you have to manually change it, but the following blog posts
i have found helpful.
http://blogs.msdn.com/b/alextch/archive/tags/ad+interop/

This is one 2006 howto video on migrating from DES to RC4.
http://blogs.msdn.com/b/alextch/archive/2006/07/18/MITtoADRC4.aspx
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba