[Samba] Samba ADS -- works with XP Pro, but not 2000 Pro
Doug VanLeuven
roamdad at sonic.net
Thu Oct 14 21:16:08 GMT 2004
Gordon Hopper wrote:
> # According to
> http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin.html#SEC17
> # "the only supported encryption types are des3-hmac-sha1 and
> des-cbc-crc."
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
> # However,
> http://lists.samba.org/archive/samba/2004-October/093761.html suggests:
> # default_tgs_enctypes = des-cbc-crc des-cbc-md5
> # default_tkt_enctypes = des-cbc-crc des-cbc-md5
At the time, I was working from the MS KB article on permitted enctypes
http://support.microsoft.com/default.aspx?scid=kb;en-us;296842
and the IBM AIX security guide for authenticating to a 2000 ADS domain
controller with an older version kerberos
http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/security/securitytfrm.htm
It may very well be the only acceptable enctype is des-cbc-crc
considering the limitation of that version of kerberos. But MS seems to
suggest the only acceptable ecntypes for AD are rc4-hmac, des-cbc-crc
and des-cbc-md5
Regards, Doug
More information about the samba
mailing list