The krb5.conf generated during net ads join and weak enc types
jra at samba.org
Tue Jun 16 13:00:56 MDT 2015
On Tue, Jun 16, 2015 at 11:46:01AM -0700, Richard Sharpe wrote:
> Hi folks,
> Our paranoid security folks are saying that we must only allow the use
> of the enctypes aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96.
> I notice that the krb5.conf file generated during net ads join
> includes some other, weaker, enc_types like RC4-HMAC, DES-CBC-CRC, etc
> and they suggest that we should remove them from the generated
Sounds good to me - do you want to log a bug so
we can track this ?
> However, I notice that on the platform we are using, CentOS 6.x, the
> default in the [libdefaults] section of krb5.conf is
> 'allow_weak_crypto = false' so these should be weeded out anyway
> shouldn't they unless we are silly enough to explicitly set it to
Not sure, but it really shouldn't hurt to remove
them. RC4 and DES are dead and starting to smell
really bad :-).
More information about the samba-technical