On Wed, Mar 29, 2023 at 5:01 PM Pieter Voet wrote:
> So, that should be it... I now have to get to the Active Directory
> department on my corporate environment and ask them to set the flag
> for me, because it seems that only Administrator can set the flag (
> if not customized ), even if you (
Hi Folks,
I'm nominally aware that the ability for adcli joins to honor custom enctypes
became a thing around 2018, but I'm having a heck of a time finding guidance
online for setting permitted enctypes so that keytabs don't create keys for DES
and RC4.
Our environment uses a mixture of SSSD
Kodiak,
I'm actually in the midst of this now. Our company is running a
'deprecated protocols' project, where they're trying to eliminate rc4
encryption, SNMPv1, v2c and a few other weak protocols I won't mention here.
For AD, that eventually means change the LDAP attribute
Hi Spike,
thanks a lot for your findings ! I appreciate your effort.
I also played around with the TRUSTED_FOR_DELEGATION flag on the machine
account, and yes
it looks like the behaviour is consistent.
( I had a case where I got a TGT without the TRUSTED_FOR_DELEGATION flag set on
the machine