On Sat, 2013-09-07 at 21:01 +0300, Alexander Bokovoy wrote:
> On Sat, 07 Sep 2013, Simo Sorce wrote:
> >On Thu, 2013-09-05 at 17:44 +0300, Alexander Bokovoy wrote:
> >> +       enctypes = KERB_ENCTYPE_DES_CBC_CRC |
> >> +                  KERB_ENCTYPE_DES_CBC_MD5 |
> >> +                  KERB_ENCTYPE_RC4_HMAC_MD5 |
> >> +                  KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
> >> +                  KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96;
> >
> >Why are we hardcoding support for *DES* enctype, we disable DES by
> >default and also Windows never uses it by default.
> This is actually a copy of the same statement from
> fill_pdb_trusted_domain().
> 
> Should I remove it?

Yes please remove DES types, is there any chance we can make this list
configurable ? (not a hard requirement, only if ti is something easy to
do, maybe as a further enhancement down the road).

> RC4 enctype will be the only one available for
> Windows 2003 trusts then...

It's the only one 2003 enables by default anyway and the only one that
we can use as DES is disabled on FreeIPA.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to