This parameter determines the encryption types to use when operating
as a Kerberos client. Possible values are all,
strong, and legacy.
Samba uses a Kerberos library (MIT or Heimdal) to obtain Kerberos
tickets. This library is normally configured outside of Samba, using
the krb5.conf file. This file may also include directives to configure
the encryption types to be used. However, Samba implements Active Directory
protocols and algorithms to locate a domain controller. In order to
force the Kerberos library into using the correct domain controller,
some Samba processes, such as
winbindd
8 and
net
8, build a private krb5.conf
file for use by the Kerberos library while being invoked from Samba.
This private file controls all aspects of the Kerberos library operation,
and this parameter controls how the encryption types are configured
within this generated file, and therefore also controls the encryption
types negotiable by Samba.
When set to all, all active directory
encryption types are allowed.
When set to strong, only AES-based encryption
types are offered. This can be used in hardened environments to prevent
downgrade attacks.
When set to legacy, only RC4-HMAC-MD5
is allowed. Avoiding AES this way has one a very specific use.
Normally, the encryption type is negotiated between the peers.
However, there is one scenario in which a Windows read-only domain
controller (RODC) advertises AES encryption, but then proxies the
request to a writeable DC which may not support AES encryption,
leading to failure of the handshake. Setting this parameter to
legacy would cause samba not to negotiate AES
encryption. It is assumed of course that the weaker legacy
encryption types are acceptable for the setup.
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Samba\smb_conf\kerberos encryption types |
Value Name | kerberos encryption types |
Value Type | REG_SZ |
Default Value | all |