The krb5.conf generated during net ads join and weak enc types

Richard Sharpe realrichardsharpe at
Tue Jun 16 12:46:01 MDT 2015

Hi folks,

Our paranoid security folks are saying that we must only allow the use
of the enctypes aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96.

I notice that the krb5.conf file generated during net ads join
includes some other, weaker, enc_types like RC4-HMAC, DES-CBC-CRC, etc
and they suggest that we should remove them from the generated

However, I notice that on the platform we are using, CentOS 6.x, the
default in the [libdefaults] section of krb5.conf is
'allow_weak_crypto = false' so these should be weeded out anyway
shouldn't they unless we are silly enough to explicitly set it to

Richard Sharpe

More information about the samba-technical mailing list