Bug 11336 - The generated krb5.conf used when joining a domain contains weak enc types, some of which cannot be removed with 'enable_weak_crypto = false'
Summary: The generated krb5.conf used when joining a domain contains weak enc types, s...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.2.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-17 03:41 UTC by Richard Sharpe
Modified: 2017-01-03 03:35 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Sharpe 2015-06-17 03:41:46 UTC
Our paranoid security folks are saying that we must only allow the use
of the enctypes aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96.

I notice that the krb5.conf file generated during net ads join
includes some other, weaker, enc_types like RC4-HMAC, DES-CBC-CRC, etc
and they suggest that we should remove them from the generated
krb5.conf.

Of course, as asked on samba-technical, why are we generating this file at all?

Secondly, for those who want to join domains with W2K03 DCs, an RC4 enc type will be needed.
Comment 1 Andrew Bartlett 2017-01-03 03:35:07 UTC
Fixed in commit 3fff2667ec3f12fe1263735095c1a39182b0d351 in master, will be fixed in Samba 4.6 with the new "kerberos encryption types" parameter.