samba code and kerberos enctypes

Gerald Carter jerry at
Mon Feb 1 13:28:34 MST 2010

simo wrote:

> Right, but the problem is that if we specify enc 
> types the krb library does not support it is not going to
> be useful, and if we forget to update the enctype list when krb
> libs (and windows) do support newer algorithms it is
> equally not going to be really useful.
> Personally I'd leave this stuff to krb5.conf (see below 
> about that).

I understand.  Both camps have valid points.  I'm pretty deep
in the ease of use camp right now having been burned too much
by busy admins forgetting one step or the other in an area
that is already foreign for most *nix folks.

>> Free advice, so it's worth what you paid for it. :)
> :)
>> cheers, jerry
>> [1] Aren't the enctypes written out the generated krb5.conf files?
>>     Or has that code [to generate ${localstatedir}/krb5.conf.<DOM>)
>>     been removed?)
> It still exists and cause problems too at times :-/
> I still don't know if I should consider it a clever hack or a bad hack.
> I wish this behavior was configurable, so that admins/distros that know
> what they are doing can decide to tell samba to stick to /etc/krb5.conf
> and dictate what to use. (I'd be ok leaving the clever/bad hack as
> default).

It's necessary when you don't own the krb5 layer and want
to be portable across multiple versions.  Maybe that will help
you sleep better at night.  The proper solution is to make the
krb5 layer site and affinity aware (e.g. the kdc locator plugin).
I think the generated krb5.conf is just as valid if not as
dynamic a solution.

cheers, jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list