-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Doug,
Thanks for testing this. > 2003 Enterprise server > security = ADS > idmap backend = ad > winbind nss info = template sfu > > I joined an FC3 using rc4 all is smooth and browsable. > > I then removed support for rc4 in enctypes in /etc/krb5.conf. > Edited the machine acct and added the flag for des_only. > The domain controller can't browse the samba server. Get > the password dialog box. > > This method used to work. I'll get an older version of > samba and verify that with the current 2003 including > current SP and security patches. Did you enable the DES trick in the Windows 2003 registry ? Otherwise Windows 2003 will always use RC4-HMAC regardless of the DES_ONLY flag. That's what I've found at least. > I then commented out the defines in /usr/include/krb5.h > for ENCTYPE_ARCFOUR. Then configure & make to have a version > of samba where the ifdefs would trigger for des-only code. > This version won't join the domain. Yes. There is a problem with DES session keys in CIFS sessions. That's a know issue on RHEL3 at least. I'm still trying to track it down. > I can try net keytab add on permutations, but don't > have the time until this weekend. Thanks. I'll be around this weekend as well :-) > Des only may be a dinosaur for most modern kerberos, but > it might be important to eliminate dependency on rc4. > I've been told longhorn will include encryption types > that use salts and depending on the admin environment > they may want to run non-rc4. There may also be legacy > consideration where the kerberos server is unix based. DES session keys are an issue for RHEL3 so I will get that fixed but it will require more investigation. cheers, jerry ===================================================================== Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEwVhMIR7qMdg1EfYRAgo4AJsG7086qBdyp/XeYkEWplmPlwlimwCfevXq G/zpXCCOt56SrM21zJT6EaU= =M8AK -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba