The krb5.conf generated during net ads join and weak enc types

Tue Jun 16 21:33:36 MDT 2015

On Tue, Jun 16, 2015 at 7:49 PM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Tue, Jun 16, 2015 at 4:29 PM, Simo <simo at samba.org> wrote:
>> On Tue, 2015-06-16 at 12:00 -0700, Jeremy Allison wrote:
>>> On Tue, Jun 16, 2015 at 11:46:01AM -0700, Richard Sharpe wrote:
>>> > Hi folks,
>>> >
>>> > Our paranoid security folks are saying that we must only allow the use
>>> > of the enctypes aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96.
>>> >
>>> > I notice that the krb5.conf file generated during net ads join
>>> > includes some other, weaker, enc_types like RC4-HMAC, DES-CBC-CRC, etc
>>> > and they suggest that we should remove them from the generated
>>> > krb5.conf.
>>>
>>> Sounds good to me - do you want to log a bug so
>>> we can track this ?
>>
>> Yes please, this is harder than you may think.(And generating files
>> stink in the first place, why do we still need that ?)
>
> 1. I can submit a patch to remove them.

I will file a bug.

Attached is a patch the removes the weak types, but it has the issues
raised in the commit message and above.

> 2. Yes, why do we still need that? If the user has a bad, default
> krb5.conf then things will not work, but maybe they need to learn to
> get rid of the krb5.conf file or get rid of the entries that disallow
> using DNS for KDC and Domain lookup. Maybe we need to document that.
>
>>> > However, I notice that on the platform we are using, CentOS 6.x, the
>>> > default in the [libdefaults] section of krb5.conf is
>>> > 'allow_weak_crypto = false' so these should be weeded out anyway
>>> > shouldn't they unless we are silly enough to explicitly set it to
>>> > true?
>>>
>>> Not sure, but it really shouldn't hurt to remove
>>> them. RC4 and DES are dead and starting to smell
>>> really bad :-).
>>
>> RC4 is not weed out by allow_weak_crypto = false, and also it may be
>> necessary in some old (2003) Domains, which is why it was added I guess.
>
> OK, so maybe we need a way to generate a krb5.conf and allow RC4 if
> they need to join W2K03. Another smb.conf parameter?
>
> --
> Regards,
> Richard Sharpe
> (何以解憂？唯有杜康。--曹操)

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Remove-the-weak-enc-types-from-the-generated-krb5.co.patch
Type: text/x-patch
Size: 1389 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150616/b17ecd71/attachment.bin>