samba code and kerberos enctypes

simo idra at
Mon Feb 1 12:40:50 MST 2010

Hello list,
I was looking into the bug in debian bts about net join failing with
allow_weak_crypto turned false when I found this in

        krb5_enctype enc_types[] = {

It looks like a way to cope with ancient kerberos libraries that didn;t
support ENCTYPE_ARCFOUR_HMAC, although it now seem to have become a way
to *not* support AES instead (used by w2k8 etc..).

The fact we actually specify DES here seem to be what is making us fail
with allow_weak_enctypes false. This seems to be a bug in MIT kerberos
libraries and is going to be fixed for 1.8 at least (possibly 1.7?).

So I was wondering what we should do here. Should we just add AES and
keep tying to set the tgs enctypes ?
Or should we rather just use whatever defaults are set by the system krb
libraries ? (which with 1.8 will probably include both AES and RC4)


Simo Sorce
Samba Team GPL Compliance Officer <simo at>
Principal Software Engineer at Red Hat, Inc. <simo at>

More information about the samba-technical mailing list