samba code and kerberos enctypes
simo
idra at samba.org
Mon Feb 1 12:40:50 MST 2010
Hello list,
I was looking into the bug in debian bts about net join failing with
allow_weak_crypto turned false when I found this in
cli_krb5_get_ticket():
krb5_enctype enc_types[] = {
#ifdef ENCTYPE_ARCFOUR_HMAC
ENCTYPE_ARCFOUR_HMAC,
#endif
ENCTYPE_DES_CBC_MD5,
ENCTYPE_DES_CBC_CRC,
ENCTYPE_NULL};
It looks like a way to cope with ancient kerberos libraries that didn;t
support ENCTYPE_ARCFOUR_HMAC, although it now seem to have become a way
to *not* support AES instead (used by w2k8 etc..).
The fact we actually specify DES here seem to be what is making us fail
with allow_weak_enctypes false. This seems to be a bug in MIT kerberos
libraries and is going to be fixed for 1.8 at least (possibly 1.7?).
So I was wondering what we should do here. Should we just add AES and
keep tying to set the tgs enctypes ?
Or should we rather just use whatever defaults are set by the system krb
libraries ? (which with 1.8 will probably include both AES and RC4)
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba-technical
mailing list