The krb5.conf generated during net ads join and weak enc types

Richard Sharpe realrichardsharpe at gmail.com
Tue Jun 16 12:46:01 MDT 2015


Hi folks,

Our paranoid security folks are saying that we must only allow the use
of the enctypes aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96.

I notice that the krb5.conf file generated during net ads join
includes some other, weaker, enc_types like RC4-HMAC, DES-CBC-CRC, etc
and they suggest that we should remove them from the generated
krb5.conf.

However, I notice that on the platform we are using, CentOS 6.x, the
default in the [libdefaults] section of krb5.conf is
'allow_weak_crypto = false' so these should be weeded out anyway
shouldn't they unless we are silly enough to explicitly set it to
true?

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list