[Samba] Samba 3.4 Panic in Debian

Steve Langasek vorlon at debian.org
Wed Jan 27 13:45:11 MST 2010

On Wed, Jan 27, 2010 at 05:13:37PM +0100, Volker Lendecke wrote:
> > > > OK.  Then I currently have no idea why allow_weak_crypto would be
> > > > desirable for Samba.

> > > In the case of AD realms that were continuously upgraded from NT4 domains,
> > > you may have accounts only using RC4 as an enctype for
> > > backwards-compatibility with pre-AD systems.  I don't know if this is the
> > > reason these users are seeing problems, but it's the only case I can think
> > > of why allow_weak_crypto should be needed.

> > Sorry, having looked at the source now, I see that the weak crypto handling
> > is specific to DES, not RC4; and if Samba were *only* using RC4, this error
> > would not happen.

> > However, Samba requests both RC4 and DES, a historical remnant of the time
> > when DES was the only enctype in common between all Kerberos
> > implementations.

> Referring to the SUBJECT: Where is this leading to a panic
> in Samba 3.4, I got lost in the meantime.

I'm afraid I don't know.  I was cc:ed on this somewhat mid-thread, and
haven't seen any panics; what I know about is http://bugs.debian.org/566977,
which reports that after upgrade to MIT Kerberos 1.8alpha1, samba domain
joins are failing because of the need for allow_weak_crypto to be set before
setting DES tgs enctypes is permitted.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20100127/054e4884/attachment.pgp>

More information about the samba mailing list