Bug 11336 - The generated krb5.conf used when joining a domain contains weak enc types, some of which cannot be removed with 'enable_weak_crypto = false'
The generated krb5.conf used when joining a domain contains weak enc types, s...
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
4.2.2
All All
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-17 03:41 UTC by Richard Sharpe
Modified: 2015-06-17 03:41 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Sharpe 2015-06-17 03:41:46 UTC
Our paranoid security folks are saying that we must only allow the use
of the enctypes aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96.

I notice that the krb5.conf file generated during net ads join
includes some other, weaker, enc_types like RC4-HMAC, DES-CBC-CRC, etc
and they suggest that we should remove them from the generated
krb5.conf.

Of course, as asked on samba-technical, why are we generating this file at all?

Secondly, for those who want to join domains with W2K03 DCs, an RC4 enc type will be needed.