The krb5.conf generated during net ads join and weak enc types

Jeremy Allison jra at
Tue Jun 16 13:00:56 MDT 2015

On Tue, Jun 16, 2015 at 11:46:01AM -0700, Richard Sharpe wrote:
> Hi folks,
> Our paranoid security folks are saying that we must only allow the use
> of the enctypes aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96.
> I notice that the krb5.conf file generated during net ads join
> includes some other, weaker, enc_types like RC4-HMAC, DES-CBC-CRC, etc
> and they suggest that we should remove them from the generated
> krb5.conf.

Sounds good to me - do you want to log a bug so
we can track this ?

> However, I notice that on the platform we are using, CentOS 6.x, the
> default in the [libdefaults] section of krb5.conf is
> 'allow_weak_crypto = false' so these should be weeded out anyway
> shouldn't they unless we are silly enough to explicitly set it to
> true?

Not sure, but it really shouldn't hurt to remove
them. RC4 and DES are dead and starting to smell
really bad :-).

More information about the samba-technical mailing list