samba code and kerberos enctypes

Gerald Carter jerry at
Mon Feb 1 12:54:28 MST 2010

simo wrote:
>         krb5_enctype enc_types[] = {
>                 ENCTYPE_ARCFOUR_HMAC,
> #endif
>                 ENCTYPE_DES_CBC_MD5,
>                 ENCTYPE_DES_CBC_CRC,
>                 ENCTYPE_NULL};
> So I was wondering what we should do here. Should we just 
> add AES and keep tying to set the tgs enctypes ?
> Or should we rather just use whatever defaults are set 
> by the system krb libraries ? (which with 1.8 will probably
> include both AES and RC4)


It really depends on whether you want to be at the mercy
of the local krb5.conf files. [1]  Since Samba doesn't manage
that file during domain join, I would manually configure the
enc types.  But that's just me.  They main thing to to never
fail a join or authentication if Windows would work in the
same environment.

Free advice, so it's worth what you paid for it. :)

cheers, jerry
[1] Aren't the enctypes written out the generated krb5.conf files?
    Or has that code [to generate ${localstatedir}/krb5.conf.<DOM>)
    been removed?)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list