samba code and kerberos enctypes

[simo]

Hello list,
I was looking into the bug in debian bts about net join failing with
allow_weak_crypto turned false when I found this in
cli_krb5_get_ticket():

        krb5_enctype enc_types[] = {
#ifdef ENCTYPE_ARCFOUR_HMAC
                ENCTYPE_ARCFOUR_HMAC,
#endif
                ENCTYPE_DES_CBC_MD5,
                ENCTYPE_DES_CBC_CRC,
                ENCTYPE_NULL};

It looks like a way to cope with ancient kerberos libraries that didn;t
support ENCTYPE_ARCFOUR_HMAC, although it now seem to have become a way
to *not* support AES instead (used by w2k8 etc..).

The fact we actually specify DES here seem to be what is making us fail
with allow_weak_enctypes false. This seems to be a bug in MIT kerberos
libraries and is going to be fixed for 1.8 at least (possibly 1.7?).

So I was wondering what we should do here. Should we just add AES and
keep tying to set the tgs enctypes ?
Or should we rather just use whatever defaults are set by the system krb
libraries ? (which with 1.8 will probably include both AES and RC4)

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>