Gordon Hopper wrote:
# According to http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin.html#SEC17
# "the only supported encryption types are des3-hmac-sha1 and des-cbc-crc."
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
# However, http://lists.samba.org/archive/samba/2004-October/093761.html suggests:
# default_tgs_enctypes = des-cbc-crc des-cbc-md5
# default_tkt_enctypes = des-cbc-crc des-cbc-md5
At the time, I was working from the MS KB article on permitted enctypes http://support.microsoft.com/default.aspx?scid=kb;en-us;296842
and the IBM AIX security guide for authenticating to a 2000 ADS domain controller with an older version kerberos
http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/security/securitytfrm.htm
It may very well be the only acceptable enctype is des-cbc-crc considering the limitation of that version of kerberos. But MS seems to suggest the only acceptable ecntypes for AD are rc4-hmac, des-cbc-crc and des-cbc-md5
Regards, Doug
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
