The Samba-Bugzilla – Bug 11336
The generated krb5.conf used when joining a domain contains weak enc types, some of which cannot be removed with 'enable_weak_crypto = false'
Last modified: 2015-06-17 03:41:46 UTC
Our paranoid security folks are saying that we must only allow the use
of the enctypes aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96.
I notice that the krb5.conf file generated during net ads join
includes some other, weaker, enc_types like RC4-HMAC, DES-CBC-CRC, etc
and they suggest that we should remove them from the generated
Of course, as asked on samba-technical, why are we generating this file at all?
Secondly, for those who want to join domains with W2K03 DCs, an RC4 enc type will be needed.