The Samba-Bugzilla – Bug 11336
The generated krb5.conf used when joining a domain contains weak enc types, some of which cannot be removed with 'enable_weak_crypto = false'
Last modified: 2017-01-03 03:35:07 UTC
Our paranoid security folks are saying that we must only allow the use
of the enctypes aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96.
I notice that the krb5.conf file generated during net ads join
includes some other, weaker, enc_types like RC4-HMAC, DES-CBC-CRC, etc
and they suggest that we should remove them from the generated
Of course, as asked on samba-technical, why are we generating this file at all?
Secondly, for those who want to join domains with W2K03 DCs, an RC4 enc type will be needed.
Fixed in commit 3fff2667ec3f12fe1263735095c1a39182b0d351 in master, will be fixed in Samba 4.6 with the new "kerberos encryption types" parameter.