On Sat, Feb 13, 2010 at 8:57 PM, Jeremy Allison <[email protected]> wrote:
> On Sat, Feb 13, 2010 at 01:35:12PM -0600, [email protected]
> wrote:
>> Alex,
>>
>> I've been a victim of this since Day 1. After a lot of reading and
>> emailing, it comes down to this. libkrb5-3 version 1.8x by default
>> disallows DES encryption. /etc/krb5.conf can be changed to allow weak
>> encryption, but as it relates to Samba, is only effective in letting the
>> system join the domain. For it's internal functioning, winbind uses an
>> autogenerated krb5.conf that resides in /var/run/samba. This krb5.conf has
>> no knowledge of allow_weak_crypto=true. Sam Hartman, the maintainer of
>> libkrb5-3 in Debian, has taken over the responsibility of fixing that
>> package, rather than the Samba maintainers doing a change there. In the
>> interim, winbind is broken with libkrb5-3 version 1.8x. We can only hope
>> this fix is soon coming.
>
> In Samba 3.5.0 there is a parameter "create krb5 conf" that controls
> if this private krb5.conf file is created or not. Would it be helpful
> for this to be back ported to earlier versions ?
>
> Jeremy.
i do not want any weak encryption on my systems.
If "create krb5 conf = no" in smb.conf means, that i can
specify RC4 and AES in /etc/krb5.conf and then winbind will honor and
not create a ghost krb5.conf.NEBIOSDOMAINNAME, i would greatly
appreciate it being backported.
Of course, i run CentOS 5 and that uses 3.0.33. How far back is realistic?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
