[Samba] Samba ADS -- works with XP Pro, but not 2000 Pro

Doug VanLeuven roamdad at sonic.net
Thu Oct 14 21:16:08 GMT 2004

Gordon Hopper wrote:

> # According to 
> http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin.html#SEC17
> # "the only supported encryption types are des3-hmac-sha1 and 
> des-cbc-crc."
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
> # However, 
> http://lists.samba.org/archive/samba/2004-October/093761.html suggests:
> # default_tgs_enctypes = des-cbc-crc des-cbc-md5
> # default_tkt_enctypes = des-cbc-crc des-cbc-md5 

At the time, I was working from the MS KB article on permitted enctypes

and the IBM AIX security guide for authenticating to a 2000 ADS domain 
controller with an older version kerberos

It may very well be the only acceptable enctype is des-cbc-crc 
considering the limitation of that version of kerberos.  But MS seems to 
suggest the only acceptable ecntypes for AD are rc4-hmac, des-cbc-crc 
and des-cbc-md5

Regards, Doug

More information about the samba mailing list