samba code and kerberos enctypes
Gerald Carter
jerry at samba.org
Mon Feb 1 12:54:28 MST 2010
simo wrote:
> krb5_enctype enc_types[] = {
> #ifdef ENCTYPE_ARCFOUR_HMAC
> ENCTYPE_ARCFOUR_HMAC,
> #endif
> ENCTYPE_DES_CBC_MD5,
> ENCTYPE_DES_CBC_CRC,
> ENCTYPE_NULL};
>
...
> So I was wondering what we should do here. Should we just
> add AES and keep tying to set the tgs enctypes ?
> Or should we rather just use whatever defaults are set
> by the system krb libraries ? (which with 1.8 will probably
> include both AES and RC4)
Simo,
It really depends on whether you want to be at the mercy
of the local krb5.conf files. [1] Since Samba doesn't manage
that file during domain join, I would manually configure the
enc types. But that's just me. They main thing to to never
fail a join or authentication if Windows would work in the
same environment.
Free advice, so it's worth what you paid for it. :)
cheers, jerry
[1] Aren't the enctypes written out the generated krb5.conf files?
Or has that code [to generate ${localstatedir}/krb5.conf.<DOM>)
been removed?)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100201/95ad5291/attachment.pgp>
More information about the samba-technical
mailing list