samba code and kerberos enctypes

[simo]

On Mon, 2010-02-01 at 13:54 -0600, Gerald Carter wrote:
> simo wrote:
> >         krb5_enctype enc_types[] = {
> > #ifdef ENCTYPE_ARCFOUR_HMAC
> >                 ENCTYPE_ARCFOUR_HMAC,
> > #endif
> >                 ENCTYPE_DES_CBC_MD5,
> >                 ENCTYPE_DES_CBC_CRC,
> >                 ENCTYPE_NULL};
> > 
> ...
> > So I was wondering what we should do here. Should we just 
> > add AES and keep tying to set the tgs enctypes ?
> > Or should we rather just use whatever defaults are set 
> > by the system krb libraries ? (which with 1.8 will probably
> > include both AES and RC4)
> 
> Simo,
> 
> It really depends on whether you want to be at the mercy
> of the local krb5.conf files. [1]  Since Samba doesn't manage
> that file during domain join, I would manually configure the
> enc types.  But that's just me.  They main thing to to never
> fail a join or authentication if Windows would work in the
> same environment.

Right, but the problem is that if we specify enc types the krb library
does not support it is not going to be useful, and if we forget to
update the enctype list when krb libs (and windows) do support newer
algorithms it is equally not going to be really useful.

Personally I'd leave this stuff to krb5.conf (see below about that).

> Free advice, so it's worth what you paid for it. :)

:)

> cheers, jerry
> [1] Aren't the enctypes written out the generated krb5.conf files?
>     Or has that code [to generate ${localstatedir}/krb5.conf.<DOM>)
>     been removed?)

It still exists and cause problems too at times :-/
I still don't know if I should consider it a clever hack or a bad hack.
I wish this behavior was configurable, so that admins/distros that know
what they are doing can decide to tell samba to stick to /etc/krb5.conf
and dictate what to use. (I'd be ok leaving the clever/bad hack as
default).

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>