[Samba] Kerberos Keytab Code Update in 3.0.23

Doug VanLeuven roamdad at sonic.net
Sat Jul 22 03:09:04 GMT 2006


Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Doug,
> 
> Thanks for testing this.

OK.

>> I then removed support for rc4 in enctypes in /etc/krb5.conf.
>> Edited the machine acct and added the flag for des_only.
>> The domain controller can't browse the samba server.  Get
>> the password dialog box.
>>
>> This method used to work.  I'll get an older version of
>> samba and verify that with the current 2003 including
>> current SP and security patches.
> 
> Did you enable the DES trick in the Windows 2003
> registry ?  Otherwise Windows 2003 will always use
> RC4-HMAC regardless of the DES_ONLY flag.  That's what
> I've found at least.


Do you mean KdcUseRequestedEtypesForTickets = 1 in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc ?


If so, since 2004, plus the then hotfix.

If not, then you'll have to let me know what the trick is :-)

Regards, Doug



More information about the samba mailing list