[Samba] Re: Kerberos Error
Norman Zhang
norman.zhang at rd.arkonnetworks.com
Wed Dec 8 18:09:20 GMT 2004
Hi Gerald,
>> I'm using samba-*-3.0.6-4.3.100mdk and libkrb51-1.3-6.3.100mdk on
>> LM10.0. A similar summary to what I'm seeing could be found here.
>>
>> http://lists.samba.org/archive/samba/2004-July/090210.html
>>
>> Solve the problem by changing
>>
>> [libdefaults]
>> ticket_lifetime = 24000
>> default_realm = HQ.ARKONNETWORKS.COM
>> ; default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
>> ; default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
>> ; permitted_enctypes = des3-hmac-sha1 des-cbc-crc
>>
>> default_etypes = des-cbc-crc des-crc-md5
>> default_etypes_des = des-cbc-crc des-crc-md5
>
> unless you are pretty comfortable with krb5 enc types
> and have a specific reason to use the des keys, I would
> recommend not setting those 2 lines at all on MIT
> krb 1.3.x releases.
LM Samba is compiled against MIT kerberos 1.3.x. Unfortunately, I cannot
get it to work with W2K3 without setting the above.
Actually I followed the recommendation at
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member,
and I'm not aware of any security loop-holes or drawbacks of enc types.
Would you kindly point me to proper references?
Regards,
Norman Zhang
More information about the samba
mailing list