[Samba] Samba 4 and new Kerberos version

Gémes Géza geza at kzsdabas.hu
Thu Feb 9 11:14:14 MST 2012


2012-02-08 09:29 keltezéssel, steve írta:
> On 07/02/12 20:52, Gémes Géza wrote:
>> 2012-02-07 16:07 keltezéssel, steve írta:
>>> On 07/02/12 12:01, Andrew Bartlett wrote:
>>>> On Tue, 2012-02-07 at 10:24 +0100, steve wrote:
>>>>> I just got this from the mit list:
>>>>>
>>>>> <quote>
>>>>> DES transition
>>>>> ==============
>>>>>
>>>>> The krb5-1.8 release disables single-DES cryptosystems by
>>>>> default.  As
>>>>> a result, you may need to add the libdefaults setting
>>>>> "allow_weak_crypto = true" to communicate with existing Kerberos
>>>>> infrastructures if they do not support stronger ciphers.
>>>>>
>>>>> </quote>
>>>>>
>>>>> Does/will this apply to us?
>>>> Heimdal did this a long time ago, so yes.  If you wish to use DES, you
>>>> have to set that in your krb5.conf.
>>>>
>>>> Andrew Bartlett
>>>>
>>> Hi
>>> I'm using S4 out of the box on openSUSE 12.1. All the Kerberos
>>> transactions seem to choose arcfour.
>>> Does the des stuff apply to me?
>>> Thanks,
>>> Steve
>>>
>> Hi,
>> You need to enable weak crypto if you want to use kerberos with apps
>> which depends on des (e.g nfs, openafs).
>> Regards
>> Geza
> Mmm. That's what I thought. I added that line to krb5.conf before
> using nfs. I commented it and it still works. The s4 nfs transactions
> seem to choose arcfour, not des. I can't find this documented anywhere
> but noises on the nfs kernel list suggest that the weak crypto is not
> now necessary. Will leave the line commented until nfs explodes at
> some stage.
> Cheers,
> Steve
>
Could have been fixed I've used nfs with gss/krb a few years ago when it
ws working with des-cbc-crc only, have migrated to openafs since then.

Cheers

Geza


More information about the samba mailing list