On Sat, 2013-09-07 at 21:01 +0300, Alexander Bokovoy wrote: > On Sat, 07 Sep 2013, Simo Sorce wrote: > >On Thu, 2013-09-05 at 17:44 +0300, Alexander Bokovoy wrote: > >> + enctypes = KERB_ENCTYPE_DES_CBC_CRC | > >> + KERB_ENCTYPE_DES_CBC_MD5 | > >> + KERB_ENCTYPE_RC4_HMAC_MD5 | > >> + KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 | > >> + KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96; > > > >Why are we hardcoding support for *DES* enctype, we disable DES by > >default and also Windows never uses it by default. > This is actually a copy of the same statement from > fill_pdb_trusted_domain(). > > Should I remove it?
Yes please remove DES types, is there any chance we can make this list configurable ? (not a hard requirement, only if ti is something easy to do, maybe as a further enhancement down the road). > RC4 enctype will be the only one available for > Windows 2003 trusts then... It's the only one 2003 enables by default anyway and the only one that we can use as DES is disabled on FreeIPA. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel