[Samba] Samba 4 and new Kerberos version
steve at steve-ss.com
Wed Feb 8 01:29:02 MST 2012
On 07/02/12 20:52, Gémes Géza wrote:
> 2012-02-07 16:07 keltezéssel, steve írta:
>> On 07/02/12 12:01, Andrew Bartlett wrote:
>>> On Tue, 2012-02-07 at 10:24 +0100, steve wrote:
>>>> I just got this from the mit list:
>>>> DES transition
>>>> The krb5-1.8 release disables single-DES cryptosystems by default. As
>>>> a result, you may need to add the libdefaults setting
>>>> "allow_weak_crypto = true" to communicate with existing Kerberos
>>>> infrastructures if they do not support stronger ciphers.
>>>> Does/will this apply to us?
>>> Heimdal did this a long time ago, so yes. If you wish to use DES, you
>>> have to set that in your krb5.conf.
>>> Andrew Bartlett
>> I'm using S4 out of the box on openSUSE 12.1. All the Kerberos
>> transactions seem to choose arcfour.
>> Does the des stuff apply to me?
> You need to enable weak crypto if you want to use kerberos with apps
> which depends on des (e.g nfs, openafs).
Mmm. That's what I thought. I added that line to krb5.conf before using
nfs. I commented it and it still works. The s4 nfs transactions seem to
choose arcfour, not des. I can't find this documented anywhere but
noises on the nfs kernel list suggest that the weak crypto is not now
necessary. Will leave the line commented until nfs explodes at some stage.
More information about the samba